Days of Enlightenment
Security professionals from around the world gathered in Anaheim, California, in September to attend the ASIS International 55th Annual Seminar and Exhibits. Keynote speakers offered insights on politics and economics. More than 160 educational sessions helped to enlighten attendees on numerous topics. Following are some highlights from the seminar and exhibits. (For in-depth coverage of all seminar events, including products on display in the exhibit hall, see the November/December issue of ASIS Dynamics.)
Rice Reflects on Her Political Role
Keynote speaker and former Secretary of State Condoleezza Rice addressed Wednesday morning’s opening session, affirming her conviction that the American ideals of freedom and equality will grow roots and thrive, even in the world’s most hostile political and social environments.
Rice compared today’s dual struggle of fighting radicalism and fostering democracy abroad to her primary area of academic expertise: the Cold War between the United States and the former Soviet Union. She recalled the decades during which the conflict’s end and the fall of the Iron Curtain seemed unlikely if not impossible.
“If you had said in 1950, 1960, 1970, 1980 that in 1991 the hammer and sickle will come down from the Kremlin for the last time, and the Russian tricolor will go up, and communism in Europe will be done—they would have had you committed,” Rice said.
“So remember the historical context. Today’s headlines and historical judgments are rarely the same,” Rice told a packed convention center ballroom. “If you govern from today’s headlines, you will not have history’s judgments on your side.”
Rice recalled joining the Bush Administration in 2001 as National Security Advisor expecting that her job’s greatest challenges would arise from conflict with powerful states like China. She soon realized—as did the whole world—that the greatest threats emerge from failed states like Afghanistan. They will continue to, she warned, if developed nations ignore such areas, like the United States did following the Soviet withdrawal from Afghanistan in 1989.
In Afghanistan, to which the U.S. military has shifted its focus following a draw-down from Iraq, the fundamental challenge is abject poverty, Rice said. She compared the current $49 billion national budget of Iraq, with its roughly 31 million people, to the situation in Afghanistan, which has a population of about 28 million but a national budget of only $678 million.
“I can assure you that if the United States of America doesn’t find a way to prevent the return of terrorists to Afghanistan and allows them a safe haven, we will pay for it. Abandon Afghanistan, and you can be sure that you will have attacks emanating from there, perhaps even attacks on our own territory,” Rice said.
Later, in an interview with Security Management, Rice said that along with development aid, the nontraditional, civil affairs military operations, in which forces partner closely with the Afghan citizenry, will be critical to success there.
Following her speech, Rice fielded questions submitted by attendees. One question that she took up concerned her greatest source of pride from her tenure in the Bush White House, and her greatest regret. “I hope that I will be right in saying that we were able to defend the country in a way that allowed Americans to go back to their lives after September 11. I often say that I am grateful—not proud, but grateful—that there wasn’t another attack on our watch,” Rice said. Of her greatest regret, Rice cited failure to establish a Palestinian state.
Rice shared a poignant anecdote about direct meetings with some of the world’s most hard-line Muslim clerics. She recounted how they could not—or would not—shake her hand, because she was a woman. At the end of those discussions, however, the hard-liners often asked Rice if she would meet their young daughters. She told the ASIS attendees that she hopes she inspired those young women to pursue their dreams in an equal society.
Since leaving Washington, Rice has returned to academia, where she is a political science professor at California’s Stanford University; she also serves as a fellow at the school’s Hoover Institution. She is currently writing two books: one is a memoir of her time in the Bush Administration; the other is about her parents and their role in her success.
Rice acknowledged the challenge of maintaining the country’s focus on its post-9-11 struggles but says she doesn’t doubt the United States and its allies will prevail. “It is who we are, and when you lead from your values and principles, you succeed. We’ve done this hard, tough work before, and we’ve succeeded,” Rice said.
Stein Shares Wit and Wisdom
Actor, author, economist, and pop culture icon Ben Stein entertained attendees with his trademark wry wit in a joke-filled keynote address on Tuesday. He provided a biting assessment of the U.S. economic crisis and the government’s handling of the issue as well as more general advice on how to “fix America.”
Stein is best known to many for his role as the monotone economics teacher in the 1986 hit film Ferris Bueller’s Day Off, but the sarcastic funnyman also graduated with honors from Columbia in 1966 with a degree in economics. Four years later, he was a valedictorian at Yale Law School. In 1973 and 1974, he worked as a speech writer and lawyer for Richard Nixon at the White House and later for Gerald Ford.
Stein has been a writer for the Wall Street Journal, a columnist for the Los Angeles Herald Examiner and King Features Syndicate, and he is a frequent contributor to Barrons. He has published 30 books, including seven novels and 21 nonfiction books.
In his movie and television career, he hosted the Comedy Central quiz show Win Ben Stein’s Money, which won seven Emmy Awards. He also was a judge on VH1’s America’s Most Smartest Model.
Stein called the current devastating economic crisis “The most amazing example of incompetence on Wall Street and in the government supervision of Wall Street, possibly including the Great Depression.” He blamed Wall Street greed, corruption, and stupidity, adding that they are still getting rich while the rest of the country faces a recession. “It’s as if you caught someone stealing a monumental amount of money…and then you made him president,” Stein said.
He criticized the government’s handling of the crisis and specifically derided former Chairman of the Federal Reserve Alan Greenspan, who is now a corporate consultant; current Chairman of the Federal Reserve Ben Bernanke for dismissing that there could be a housing bubble; and Secretary of the Treasury Timothy Geithner, who said that there could never be a credit collapse.
Stein praised the efforts of security professionals, saying there is no such thing as opportunity without security. “None of it would be possible without security,” he said. “You guys make sure we have security…. That makes you more important than doctors, lawyers, and accountants…. They are the ones you are trying to keep from stealing,” he joked.
Sessions Offer Information,Insight
Businesses face threats ranging from insider theft to terrorism at the same time that a downturn in the economy is reducing the funds available for tackling those threats. Those who attended some of the more than 160 sessions offered at the seminar and exhibits learned the latest in technologies and techniques to meet these challenges. Following are summaries from a selection of the week’s presentations.
Liability. On the evening of August 2, 2007, Kenny McCormack was shot and killed at the apartment complex where he lived. The assailant had previously made threats against McCormack’s life but was not a tenant and should not have been in the complex at the time of the murder.
The security guard employed by the private security company whose services were retained by the apartment complex was not licensed and had a criminal history. The apartment complex said the guard did not follow his post orders to remove the assailant that night, even after hearing the assailant threaten the victim. The private security company countered that it had advised the apartment complex to hire more guards. Now the victim’s family is suing both the apartment complex and the private security company. The jury must now decide who is to blame.
That was the scenario offered by the law firm of Bradley and Gmelich Lawyers during a session that used a mock-trial format to show attendees what happens when things go tragically wrong on a private security company’s watch.
The lawyers in the mock civil case made opening statements, cross-examined the defendants, and ended with closing arguments. Attendees had the opportunity to see how civil lawyers deconstruct policies and practices and pull at the heart strings of a jury to reveal weaknesses that could expose a security company to liability for negligence.
In the case, the lawyers’ cross examinations exposed how sloppy paperwork, slipshod hiring practices, and clear violations of the terms of a contract ended up exposing a private security company to expensive legal fees and possible catastrophic pain and suffering damages.
After watching the mock trial, attendees were asked to play the role of the jury. Interestingly, a good portion of the audience found both the apartment complex owners and the private security company liable for what happened in the murder of Kenny McCormack, clearly surprising the lawyers conducting the exercise.
The reason for the upturned eyebrows was that the facts of the case were very similar to a recent case where Bradley and Gmelich Lawyers defended a private security firm accused of negligence. Unlike in their mock scenario, the law firm successfully argued for summary judgment, meaning the case never made it to a jury trial.
Food safety. Companies whose business is part of the food supply chain should treat all government directives and guidelines like mandates—because anyone sickened by their agricultural products will take that tack, according to the lawyer who helped write a consolidated compliance matrix for food giant Kraft Foods, Inc.
Presenters James Pastor of SecureLaw, Ltd., and Mark Powers, North American regional food security manager for Kraft, collaborated on Kraft’s Food Defense Initiative Committee, which assembled all relevant laws, regulations, directives, and guidelines into a single matrix to track compliance. Separately, the effort grouped all of the doctrines’ security requirements by function to eliminate both omissions and redundancies companywide.
Pastor and Powers showed how the maze of companywide compliance efforts can be distilled into a single-page chart for presentation to executives, with government doctrines along the top of the page and security functions down the left-hand side. Checked boxes show where the company is on track, empty ones show where more work—and funding—are needed.
While compliance with laws and regulations are clearly required, Pastor said that companies should follow all other government recommendations, including directives and guidelines, with the same diligence. After contamination or a foodborne-disease outbreak, the company would not want to tell the public that it did not observe a guideline because it was optional. “I’m here to say that’s not going to fly, Pastor said. “The bigger the issue, the more tragic the issue, the less relevant excuses are going to be.”
As part of the same session, Deborah Allen, CPP, director of product stewardship and security for Potash Corporation, provided an overview of current and emerging regulatory requirements for the food and agriculture supply chain. The government isn’t just putting out regulatory requirements; it is also helping owner-operators limit risk and ensure compliance, Allen said. The Strategic Partnership Program Agroterrorism, for example—a collaboration of the U.S. Food and Drug Administration, the FBI, and the departments of Agriculture and Homeland Security—offers training and tabletop exercises for the food and agriculture sector.
Parking facilities. There’s a reason why the darkened corridors of parking garages get such a bad name: they are the largest single source of accidents that result in injury, according to an expert in parking garage design. And then there’s the problems that aren’t just accidents.
Randy Atlas, CPP, founder of Atlas Safety and Security Design Inc., rolled off a litany of horrible things that can and do go wrong regularly in parking garages: car accidents, theft, assault, carjackings, rapes, and murder. “It’s shocking and appalling how often attacks occur in parking lots,” Atlas said during a presentation that offered a multimedia extravaganza of news, television, and movie clips.
“Why do things go bad in parking facilities?” Atlas asked. He said that most of the time, it’s the negligence of the facility’s owner-operators. Atlas recounted multiple cases where a parking garage owner’s short-sightedness ended in injury and death. For example, one hotel in Key West, Florida, was sued successfully after a crack addict went on a rampage in its parking garage, beating a woman with a hammer, almost abducting her, and then driving off with her car. The hotel exposed itself to negligence when it didn’t provide security guards during business hours on the assumption that they weren’t needed during the day. The woman won millions of dollars in damages.
The solution, according to Atlas, is to design crime prevention and safety into the structure. Because parking garages come in all shapes and sizes, there isn’t a single standard to secure them. High-rise parking garages limit visibility, while subterranean garages produce blind spots that can easily be exploited by criminals, and even terrorists. But there are best practices such as good lighting, strategic placement of CCTV, security guard patrols, strong vehicle barriers, and perimeter protection.
When Atlas investigates parking garage incidents, he says he always finds multiple ways in which the attack or accident could have been prevented. But the absolute worst thing a parking garage can do is put up dummy cameras that create an illusion and expectation of security. If something does happen, that dummy camera will be a clear sign that the garage acted negligently.
Data security. Organizations must constantly protect themselves against an onslaught of cyberattacks. This requires employing many common protective measures, such as running antivirus programs and firewalls. But a few oft-overlooked defensive measures include creating stronger policies on passwords and more IT-security accountability, said IT executive and consultant Steven Yanagimachi at his seminar session.
A security advisor at Chicago-based Boeing, Yanagimachi listed some of the many threats corporate networks face. They include packet sniffing, in which software is used to monitor network activity, and man-in-the-middle attacks, in which one computer intercepts traffic intended for another.
But one of the biggest threats, he said, involves employees opening e-mail attachments that contain difficult-to-detect malware, such as key loggers that capture data via keystrokes. Many companies could benefit from reminding employees not to open attachments from unknown sources, he said.
Companies should strengthen password policies as well, Yanagimachi said. They should check passwords’ strength, particularly when they are hosted on a centralized database. In many cases, he added, traditional password authentication may no longer be sufficient. Companies should also consider the use of cards or badges that authenticate users with an encrypted computer chip, he said.
Yanagimachi also suggested regularly running network scanning tools. Such tools can detect whether vulnerable programs are running, for example, or whether necessary security software is off. He further suggested greater security accountability. He said that he regularly files reports, for example, on detected vulnerabilities. Managers are then required to report back within a few weeks, describing what corrective steps were taken.
Terrorism. Lone-operator terrorism will likely grow during the 21st century, according to seasoned terrorism analyst Jeffrey D. Simon. A former RAND Corporation analyst and current president of Political Risk Assessment Company Inc., Simon reminded attendees that with the exception of the 1993 World Trade Center and 9-11 attacks, all of the major terrorist events in modern U.S. history were perpetrated by lone actors.
Examples of such incidents include the 1920 anarchist bombing that killed 33 people on Wall Street in New York City, the Unabomber, and Eric Rudolph’s campaign of terror, which included the 1996 Atlanta Olympic Park bombing and attacks on abortion clinics in the South.
At the outset, Simon said that he avoids the popular term “lone wolf” because of its cartoonish characterization of a wild perpetrator. While some, if not a majority, of lone-operator terrorists are mentally ill, many are also highly intelligent, making them a critical threat to society.
Unlike terrorists sponsored by a state or radical group, lone operators are limited to the resources within their means. They have a critical advantage, however, in avoiding detection before and after their attacks because most of them have no communication whatsoever with others regarding their operations, which denies authorities a major opportunity to detect them, Simon said. He noted that despite the unprecedented investigation into Unabomber Ted Kaczynski, it took a tip from Kaczynski’s brother to place authorities on his trail.
Simon cited several factors to support his contention that lone-operator terrorism could trend upward in the coming years. One was that the information revolution provides potential actors with unlimited access to both radicalization materials and data on how to carry out attacks. Another was the shift toward “leaderless” terror as networked attacks become tougher to carry out.
The challenges in catching lone operators have fostered the attitude that they cannot be caught before they act and leave a forensic trail. Simon, however, said that “We need to challenge the view that there’s nothing we can do to prevent lone-operator terrorism.”
Prevention can begin at institutions like the U.S. Postal Service (USPS), which has already modified policies in response to cases like the Unabomber’s. The case led to the ban on packages weighing more than 13 ounces in USPS drop boxes, and the agency no longer ships packages with visible oil stains on the exterior. Further measures could include improved awareness training, Simon said.
CCTV technology also holds promise for detecting attackers, according to Simon, noting the potential of gait-recognition software to spot perpetrators wearing suicide vests. Expanded use of biometrics, especially voice recognition, might also help, he said.
Finally, the government can work to boost public awareness of activity that raises suspicion of terrorist activity, such as unattended bags in public places. While such vigilance is fundamental for security professionals, Simon argued that public awareness has in fact waned in the eight years since the 9-11 attacks.
Threat simulations. Threats to people and structures can be natural, like tornadoes and floods, or man-made, like bombs and arson, but the thing they have in common is that they create the need to get people out of harm’s way, said Joseph Smith, PSP. Smith, a senior vice president at Applied Research Associates, Inc., spent the earlier part of his career in the U.S. Air Force modeling the effects of weapons use on buildings and areas. His later career has focused on what he calls the “human effects” of disasters, like how many lives are lost and how many injuries occur. Through his years in the field, Smith has seen an evolution in the state of modeling and simulation.
Models and simulations are essential because— for reasons ranging from cost to liability—it’s difficult to carry out realistic large-scale evacuation drills.
There is more to take into consideration than simply evacuating individuals through the nearest exits. For instance, stairs and exits may be blocked and there may be chemicals or gases present that will impede the egress. Additionally, Smith said that alternative exits, such as windows, may have been hardened against blasts or hurricanes, inadvertently eliminating them as alternative escape routes.
Until recently, simplified event simulations have been lacking, said Smith. A popular model had been the hydraulic model, which essentially treats the egress of people as though they were fluid flowing out of a leaking tube. Smith said those models have many flaws, including the assumption that people start evacuating at the same time and that everyone’s evacuation will be uniform.
The model also does not take the differences in human behavior into account. For example, Smith said that people will tend to go out through the door they came in, even if there is a closer or more convenient exit alternative.
Smith said that modeling and event simulation abilities have vastly improved in recent times. There is now the ability to do “agent-based simulation,” which has each individual recognized as its own software agent with its own characteristics. The new simulators also provide the ability to maintain fidelity to the facility that’s being modeled. The models are dynamic, replete with the capabilities to model for various types of events; they are also realistic, address multiple hazards, and perform event analysis.
One simulator that Smith helped develop is the Event Simulator E-Sim Agent. In that simulator, humans are autonomous agents with individual characteristics. It can model evacuations based on optimal egress scenarios and other situations, as well as use realistic human behavior. Smith recommends involving a cognitive psychologist in modeling, as he says “the trouble with people is that they do strange things,” and their idiosyncrasies must be accounted for in simulations. He adds that models must take into consideration a range of factors; he cites as examples factoring in how people might react if they needed to help small children evacuate or if they were faced with other distractions.
Executive protection. In the global economy, business opportunities exist everywhere, even in some of the world’s most dangerous locations. Executives traveling to such insecure locales, or more secure ones, face a variety of threats ranging from illness to terrorism. Robert Oatman, CPP, president of R. L. Oatman and Associates, Inc., discussed the use of advance planning and onsite maneuvers to successfully extract an executive from a threatening environment or situation.
Oatman discussed scenario-based planning and advised executive protection professionals to do the planning away from the office. He also recommended that the company use its own resources to do scenario-based planning rather than hire an outside consultancy to do it for them. “You need to observe interactivity and connectivity to be successful,” Oatman said.
He also addressed worst-case scenarios, advising companies to ask whether they have made plans for the principal in a number of types of scenarios, including personal medical emergencies, public health pandemics, broad-scale civil unrest, terror events, and transportation disruptions. More specifically, companies should ask if the principal is a special risk based on his medical past, whether local medical care would be sufficient if the principal were attacked or harmed, and what the likelihood of unrest in the country is at the time the principal is visiting.
Oatman said it is important for executive protection teams to physically go to the hospital where an executive might be taken in case of an emergency. In order to form a mental picture, “Go in, go to the front desk,” Oatman said. “There is a sense of empowerment when you are able to do that,” he added.
Maritime security. Terrorists used small vessels in their attack on the USS Cole in 2000 and in part of their plans in last year’s Mumbai terror attacks. Small vessels are also a threat on U.S. waterways, according to a panel of experts who spoke at one seminar session. Among the panel were Gary Supnick, CPP, manager of maritime security and access at the SRI International’s National Center for Maritime and Port Security; Laurie Thomas, maritime security coordinator at the University of Findlay in Ohio; and Bill DeWitt, CPP, corporate security director of SSA Marine/Carrix Inc.
Supnick provided an in-depth look at the details of the Cole and Mumbai attacks, including the way small vessels were used and the short- and long-term consequences of the attacks. The Cole, a U.S. Navy destroyer, was damaged when a small vessel that had built-in explosives pulled up next to the ship and detonated. Seventeen sailors were killed and more than 30 were wounded.
The vessel used in the attack on the Cole was a small boat that was painted and built to resemble the other small boats in the area. The attackers did not speed into the Cole, however; rather, they approached at a normal pace and acted like they belonged in the area, according to Supnick.
In the Mumbai attack, terrorists carried out a rampage that caused damage in two hotels, a train station, a Jewish center, and other areas. In that case, the small boat that the terrorists used to leave Pakistan and get to a larger vessel waiting with supplies served as a support to an attack rather than a means of an attack.
Thomas spoke about efforts to prevent such attacks or use of small vessels in the United States. She explained that small vessels are not just tiny dinghies or sporting vehicles—they can be anything under 300 gross-registered tons. She added that it’s unclear how many such vessels are active in the United States, although there are at least 13 million registered small vessels.
Some of the vulnerabilities in the United States’ inland waterways are choke points, such as the St. Mary’s River in the Great Lakes region; heavy traffic; and dangerous cargo like chlorine, ammonium nitrate, and petroleum products.
Thomas also discussed the various government efforts to increase small-vessel security. One of the initiatives launched by DHS in 2007 was to organize national and regional small-vessel security summits. The summits provided a forum for federal, state, and local law enforcement to interact with the small-vessel community.
DHS released the Small Vessel Security Strategy (SVSS) in April 2008; it laid out goals, including the development of strong partnerships between the small-vessel community and the public and private sectors, better planning, effective use of technology, and enhanced coordination. Thomas said that DHS is still working on an implementation plan for the SVSS and that the plan is expected to provide timelines and translate the goals of the SVSS into actionable items.
Social networking. For online investigators, social networking sites (SNS) are an increasingly popular research tool. But viewing the sites can cause a host of potential legal issues, according to Owen O’Connor, managing director of the online investigations firm Cernam. Legal standards are far less clear on SNS compared to other electronic data, such as e-mail, he said.
Among the concerns raised by SNS investigations are privacy issues. Companies might view information that they are not allowed to see without explicit permission, O’Connor said. Examples could include information about a disability or personally identifiable information (PII) that could be protected by state or federal laws.
In many European Union (EU) nations, the legal definition of protected personal data is far broader. In many countries, for example, it includes any information that, when added to another piece of data, can identify a subject, O’Connor said. In the EU, organizations would need to notify any data-collection subjects, he said. Such subjects would then have the right to access, and potentially change, any collected data. Throughout the EU, any personal research must also be for a specific purpose and for a limited period, he said. If it extends beyond a certain point, it could be considered surveillance, which requires explicit legal permission.
Women in security. Women are a minority in the security industry, but attendees of both genders gathered to hear a discussion of the issue sponsored by the CSO Roundtable. The session highlighted the unique experiences, opportunities, and challenges of female security professionals. Moderated by Lorrie Bentley-Navarro, CPP, of the SAS Institute, the panel featured Marene Allison, vice president of security for Medco; Judy Matheny, CPP, vice president of Guardsmark, LLC; and Linda Harmon, deputy director of security for Accenture.
Panelists offered several “dos and don’ts” for women in the security industry. “Don’t lose your sense of humor,” Matheny said. “Don’t lose your own personality.” She said many women do this because they are working in an environment in which they are trying to assert themselves.
Allison, who was in the first female class at West Point, agreed: “I don’t try to compete with the men, I try to be myself.” She also told female attendees not to try to be men and advised them to accept their gender as a diverse culture that they bring to the job.
Matheny said women should try not to see divisions in the workplace. “The more you see divisions,” Matheny said, “the more you create a divide.” Panelists also urged female security professionals to resist the urge to defend their credentials.
International cultural expectations can play a role in the challenges women face in a global economy, attendees and panelists said. For example, many Asian cultures are considered “masculine,” and women in these countries are often expected to defer to men. The challenge for women doing business in As