Thursday, July 25, 2013

Lessons from Security Speed Dating


The notes which follow capture three memorable ideas, i.e. keepers, from an inaugural security industry forum in Tucson last week. Details of the event itself are at the end. The three points harvested fall into the categories of best self-introduction by a security director, best insight on active shooters, and best security-related product I wish I had in my last job.

1. Best Self-Introduction (as delivered by a retired police captain and current security director in Alabama):

"I protect people from the acts of Satan and the laws of Murphy."

2. Best Insight (about active shooters as noted in presentation by a senior security executive based on his experience in a number of fact-finding commissions after mass casualty incidents, including Columbine).

"Running away is a great option; every child who ran at Columbine is alive today."

The epiphany lurking in this observation is that it runs counter to the current trend to afford equal value to evacuation and sheltering-in-place as the default mantra security professionals have tended to chant when discussing basic options about what to do in any situation, including that of an active shooter attack. In reality, the statistics are starting to show that running away has a higher success rate than hunkering down, although that remains a second choice, and fighting is emerging as the third option to advise as a last resort. The bottom line is that running away deserves to take precedence.

3. Best Security-Related Product (as described by Sally Nordeen, Morpho Detection, snordeen@morphodetection.com, in a one-on-one session to answer questions): a handheld device for detecting anthrax and ricin that does the job in 40-90 seconds.

The product is about the size of a large cordless DeWalt drill (which means you can lock it up). It shoots a laser at the substance in question and can detect anthrax, ricin, and thousands of other substances on the spot. The device itself costs $35,000, which can be expensive or a phenomenal bargain. It operates on rechargeable lithium batteries and has a ten-year life. Its official name is the Street Lab Mobile. The manufacturer is Morpho Detection, a subsidiary of the French corporation, Safran. If these names are unfamiliar, it may be because the company started out as a unit of G.E. and was subsequently bought out by the French. Morpho's biggest customer is TSA, and its most recognizable products are the machines that detect explosives concealed in luggage at airports.

Why did I wish I had one of these in a previous life? Chemical and biological threats are hard to assess and usually require access to a Level 4 lab -- something few employers have. Most agencies must go through their local public health system, i.e. their local county health agency, to gain access to such capabilities. This in turn means a lot of time delay and multiple opportunities for bureaucratic missteps along the way, especially if there are several white powder reports raging through a given jurisdiction at the same time. About 95% of bomb threats turn out to be hoaxes, and the number goes up to near 99% for contamination threats. However, this does not reduce the need for a targeted organization to deal with the threats rapidly and effectively in order to limit hysteria, panic, and unintended consequences. If such a device works as advertised, it would have been a godsend when I was in charge of security at a regional water utility. It would have also spared my employer from the endless hassle of reminding local counterpart agencies that taking their suspected anthrax to our water quality lab was not the right way to solve their problem, since we had no classified toxic agents or their surrogates against which to make analytical comparisons and also had no lab workers eagerly seeking out the introduction of potentially lethal substances into their workplace on a futile errand.

Event Details

What was this event anyway? Officially, it was the inaugural session of the ASIS Diamond Club Security Buyers Forum, July 17-19, 2013, at Loews Ventana Canyon, Tucson, AZ. As conceived, this was a security industry forum intended to bring a cross-section of practitioners and suppliers together in the business equivalent of speed dating. An invitation-only event for about 50 security professionals and 30 or so vendors, this forum was an experimental alternative to the giant trade show that the security industry usually operates annually. However, this format was on a more human scale than conventions. By contrast, the annual security convention put on by the American Society for Industrial Security (ASIS), draws about 20,000-25,000 attendees and fills any convention center with the world's largest assortment of exhibits showcasing security products and services. Both events include professional education and networking sessions, and the value one derives from either is probably a function of business need, employer priorities, and personal taste.

-- Nick Catrantzos

Wednesday, July 10, 2013

Rat Fiasco: What's Missing from Fed Insider Threat Program


In a ham-handed implementation that can only be properly described as TSA-esque, the federal scramble to plug leaks now emerges as an exhortation to seize on coworker behaviors to flag them as suspicious and to rat out peers to some unmentioned body of enforcers with the wisdom and wherewithal to do something about real, impending betrayal. That such a scheme should self-destruct is a surprise to no one but its armchair architects. (Details at http://www.foxnews.com/politics/2013/07/10/insider-threat-program-reportedly-orders-feds-to-spy-on-each-other-using-sloppy/) It was doomed from inception. Why?

There are sins of omission and of commission raging through any program like this if it hasn't been thought through. Let us begin with the latter.

Sins of Commission

1. Absent better guidance, such a scheme appeals to the baser instincts of human nature, becoming an instant invitation to settle scores. Is Mary jealous of Irma for having won the last promotion? Then rat her out for too many restroom breaks on the pretext that she must be using them to pass on notes to terrorists. Is Fred unhappy that the boss turned down his requested leave dates because Joe has seniority and asked for them first? Then rat out the both of them for collusive behaviors that must be indicative of running a terror cell. You get the idea. Armchair theorists do not see this fatal flaw because they have never witnessed, from a manager's perspective, the unintended consequences of a flawed implementation of an ethics or anti-harassment program. Run impetuously by amateurs, such programs invariably generate new -- and spurious -- business. The remedy soon becomes worse than the disease, a fear that dates back to Hippocrates' warnings to early physicians.

2. The unthinking reliance on mass distribution of suspicious behavior checklists ends up making every worker the equivalent of the worst TSA automaton: a blind follower of printed instruction who is disincentivized from the all-important infusion of judgment. Why does this happen? Because we live in a society that slavishly follows the LITE mantra, namely Leave It To The Experts. We ask employees to rat others out but don't trust them to think. That is the province of the unmentioned experts, whose expertise is usually assumed or self-conferred.

Sins of Omission

Perhaps the greater fatal flaw arises from what such programs neglect.

1. They respect neither the work force nor the workplace. Insider threats remain statistically rare. (See Managing The Insider Threat: No Dark Corners, http://www.amazon.com/dp/1439872929, for a lengthier and more scholarly treatment of this topic.) The bottom line is that most people, most of the time, are not going around betraying their employers or fellow workers. It is mindless to treat the vast majority of honest employees as ex-cons scheming to violate their conditions of parole. It is equally unfair to the workplace to turn it into a Gestapo-run factory ruled by the lash. All organizations exist for a reason. They have a job that needs doing, and most of these employers cannot turn themselves into full-time witch-hunters without degrading their overall performance.

2. These programs hinge on the assumption that workers are fit only to spot suspicious behaviors as they exist on a checklist but not qualified to evaluate their own information. (See LITE, above.) So the employee who is urged to rat out a coworker is not trusted to do anything more. This situation invariable leaves the reporting employee bereft of feedback, while some self-styled expert runs with the lead or, equally, sits on it. No one can tell what happened outside the select cadre of experts. This situation invites abuse and tends to incentivize expert lassitude, somnolence, and all the other kinds of reaction that attach to bureaucrats who are not, shall we say, all the way committed to excellence. Result? More sitting on data than timely intervention to prevent threats from materializing.

3. Finally, such programs neglect the value of lawful disruption. Face this reality: There are never enough experts or responders to handle every situation. Taking advantage of the initiative of someone on the scene of a catastrophic betrayal is not just the best chance for damage control. It's usually the only chance. It's also precisely the chance these insider programs squander by telling employees, "Leave it to the experts." When insider threat programs stop short of saying this directly, they say it tacitly. They neglect to point out the nearly infinite options that exist for lawful disruption, that is, the short circuiting of pernicious activity through legally permissible actions (p. 135 of Managing the Insider Threat and also the beginning of a chapter on lawful disruption of the insider threat, as inspired by a Canadian senator leading an anti-terrorism committee who noted the value of this tactic).

In the final analysis, this rat-out-your-peers approach to countering insider threats as described above epitomizes a potentially useful idea that was botched in its implementation. It proves once again that there is no smart way to be stupid.

-- Nick Catrantzos

Tuesday, July 2, 2013

Words in Snowden's Mouth: Credible?

Whether one thinks NSA leaker Edward Snowden a hero or a villain, the manifesto (http://www.telegraph.co.uk/news/worldnews/europe/russia/10154064/Edward-Snowdens-WikiLeaks-statement-in-full.html)recently attributed to him is clearly not written by an American. This makes Snowden deceptive or too insipid to stand up to his handler(s) and articulate his own thoughts. Here, through an investigator's lens, are some of the telltale indicators that someone without an ear for Standard American English is putting words into the leaker's mouth:

- "My freedom and safety were under threat." This is not idiomatic, American English. Americans don't say "under threat." We might say "my freedom and safety were threatened" or something "threatened my freedom and safety."

- "My continued liberty has been owed" follows the same pattern. It is out of place. Americans do not say "has been owed" when they can say "I owe my continued freedom to ..."

- "Extralegal penalty" is the kind of term only a lawyer would use, not something to spring forth from a young, unworldly techie.

- "The United States of America have been" is a dead giveaway. USA is singular, not plural. Drunk or sober, a native American English speaker won't get this wrong.

- "Their purpose is to frighten, not me, but those who would come after me" suggests the author has come to English as a second language. The punctuation is wrong for "not me" but the real tell is the incorrect use of "come after me." The author clearly means to use this term in the sense of those who follow in his or her place. However, "come after" in this usage lends itself to the interpretation of "chase me." To an American speaker and writer, "come after me" is something to expect of pursuers, not apostles.

What this manifesto reveals is not Snowden's depth so much as his lack of substance. By letting an unseen puppet master pull his strings, the Snowden marionette only proves himself a pawn in someone else's game.

-- Nick Catrantzos