Seminar attendees charged with protecting the nation’s critical infrastructures and key resources (CI/KR) received an overview of the Department of Homeland Security’s (DHS) risk mitigation outreach efforts during a Monday session on the agency’s Protective Security Advisor (PSA) program.
The initiative has placed 79 advisors in 60 districts across 40 states and Puerto Rico. PSAs are security experts, most with at least 20 years experience, typically in law enforcement, the military, or counterterrorism specialties. PSAs serve primarily as facilitators in protecting 3,000 assets DHS has designated for heightened protection based on the consequence factors of an attack: potential loss of lives and economic impact.
PSA’s work consists primarily of one-on-one interaction with CI/KR owner operators, including site visits and assistance with vulnerability assessments to help those operators determine where and how best to direct limited resources for protective measures.
Mike Norman of DHS’s Protective Security Coordination Division, within the Office of Infrastructure Protection, spoke in place of division Director William F. Flynn, who was unable to attend due to the agency’s response to Hurricane Ike in Texas and Louisiana. Norman explained that DHS has set about the massive task of assessing both risk across CI/KR sectors and the cascading nature of failures based on sectors’ interdependence.
OIP has begun the acutely challenging job of assessing consequences within systems, as opposed to hard assets, Norman said. “We’ve done a few, and we’re looking at doing more in the coming year: many, many more.”
Coming year’s budgets will fund added PSAs, Norman said, with plans to post a PSA to each of the nation’s more than 50 state, regional and urban intelligence fusion centers, where officials seek to detect emerging terrorist threats. “If you don’t know your protective security advisors, I recommend you reach out to them,” Norman told the audience. “They’re out there every day, doing great things, working in the community. They’re very energetic.”
Use of product and service vendors is all but unavoidable in today’s security environment. But are the folks who help you protect people and property taking more than their share from your company? That was the topic of a Monday session titled “Vendors: Are They Ripping You Off?”
R.A. (Andy) Wilson, CPP, CFE (Certified Fraud Examiner), and George E. Curtis, a professor in the Economic Crimes Program at Utica College in New York, provided an overview of the crime risks facing security managers who use vendors.
Curtis said that any client company hiring a vendor should require that the vendor abide by the same laws and guidelines as it does—from an internal code of conduct to regulatory statutes like Sarbanes-Oxley. Service contracts should afford the client the right to audit the vendor’s books, to ensure they match up with the client’s, Curtis said.
Curtis further advised client firms to scour and clean out their in-house vendor file. Typically, about half the vendors in those files are inactive, and thus unduly expose firms to phony billing. Companies must also eliminate duplicate or erroneous company titles, such as the same company listed two different ways, such as “IBM” and “I.B.M.”
The session also covered the “the fraud triangle” that is present when employees rip off employers: opportunity, motivation, and moral justification. Red flags for fraud include employees facing personal financial difficulty or suddenly living beyond their legitimate means.
Asked about best practices relative to gratuity policy, such as guidelines for employees accepting gifts from vendors, Wilson recommended a value limit, like $25 or $50, rather than a ban. If gifts are banned, he explained, employees are likely to still accept things like mugs or computer mouse pads, which could create a slippery slope.
While illegal immigration may be a contentious issue politically, security professionals have an obligation to their companies to assess the liability and risks associated with employing illegal immigrants, said Neville Cramer, a retired special agent-in-charge at U.S. Immigration and Naturalization Services, during a Monday morning session. “Despite one’s personal feelings about ‘comprehensive immigration reform,’ security professionals must realize that employing illegal immigrants poses a growing threat to the safety and security of the United States,” said Cramer. He also noted that it’s illegal.
The exact number of illegal immigrants in the United States is not known, but experts estimate there are 15 to 20 million employed throughout the country. The states with the highest concentrations of illegal workers are Arizona, California, Florida, Illinois, New York, New Jersey, and Texas.
While Cramer acknowledged the industriousness of many illegal immigrants who want nothing more than a better life, he said certain factors associated with illegal immigration present unique threats to the United States. First, illegal immigrants have few, if any, ties to the country. Second, illegal immigrants know their punishment ahead of time if they’re caught committing a crime: deportation. Therefore, some engage in illegal activity knowing that if they’re caught, all they receive “is a ticket home,” said Cramer.
Cramer distinguished the risks associated with employing illegal immigrants by sector. There’s a “minimal threat” to companies that hire illegal immigrants to do labor-intensive jobs such as farming, landscaping, and day laboring. The risk, however, increases significantly when illegal immigrants are hired to do jobs where they can access sensitive, proprietary information. Such jobs include security guards, building cleaning services, daycare, healthcare, hotel staff, and data entry.
A scholar from the University of Central Florida led a Monday session titled “Looking Beyond the Threat Horizon: Future Trends in Terrorism and their Strategic Implications,” which highlighted the importance of identifying trends amid the violence.
“The need to identify future movements is absolutely important,” said Dr. Stephen Sloan, professor and fellow in the university’s Office of Global Perspectives. He noted that future analysis may seem like an academic endeavor, but it has “serious operations implications.”
Citing the work of his colleague Abeer Abdalla, a Global Connections Advanced Scholar on Terrorism at the university, Sloan discussed the importance of tracking attacks to better understand important trends, including geographic distribution of attacks and information about the perpetrators and the victims. For example, data shows that more than 50 percent of terrorist attack victims in 2007 were Muslim, and Sloan anticipates that inter-religious, sectarian violence will intensify.
And, with more than 2,400 children reported killed or injured in terrorist attacks last year, 25 percent more than 2006, Sloan worried about the legacy left behind. “You have youngsters who are combat veterans at 12 years old,” he said. “I think increasingly warfare will be fought by these youngsters.”
Sloan outlined some ongoing challenges including: state-sponsorship of terrorism with Iran and Syria supporting the destabilization of Iraq, the Taliban resurgence in Afghanistan, the Israeli-Palestinian conflict that remains a source of terrorist motivation, and the opportunities for recruitment that multimedia channels offer.
In a building flooded with the latest in security gizmos and high-tech services, attendees at a Monday session on security awareness learned that most important factor in protecting facilities and information is an organization’s staff.
“It is fundamental to have an excellent security awareness program, because…guns, gates, guards? The most important resource you have is people,” said Deborah Russell Collins, executive director of the Chantilly, Virginia-based National Security Training Institute.
Shawn S. Daley, chief security officer of the Massachusetts Institute of Technology Lincoln Laboratory in Lexington, Massachusetts, described a multi-faceted security education and awareness program that regularly engages employees and researchers in different ways, whether they learn best by listening, reading, or watching.
“Audio” learners can be engaged in their new employee orientation, briefings, or a novel device Daley employs: regular security seminars. “Readers” might best be reached through informational packets, newsletters, and easy access to government counterintelligence materials. “Visual” learners might benefit most from World War II-style security posters, which Daley recommended arranging on a strategically placed bulletin board, which he calls a “Security Corner.”
Daley recommended reaching out to the National Security Agency (NSA) based at Fort Meade, Maryland, where fellow speaker H. Robert Kennedy Jr. runs the agency’s Counterintelligence Awareness Division.
Kennedy’s office indoctrinates all new NSA employees and contractors to ensure they are prepared for the ever-present threat of elicitation by foreign agents. The division also produces myriad visual education materials, like posters, which it distributes free-of-charge to all government security stakeholders who ask.
All the speakers, including Kennedy, said security must appear accessible so employees will feel comfortable reporting concerns. Training and education programs can help demonstrate that accessibility. “We want people to come see us. We want to stop something before it becomes a real problem,” Kennedy said.
In the session “Recognizing, Assessing, and Managing Those Who Present Workplace Risk: A Case Study,” speaker John Lane, vice president of crisis and security consulting at Control Risks, provided advice on how to recognize and deal with potentially violent employees. He pointed out to a standing-room only crowd that 70 percent of workplaces do not have a formal workplace violence program, despite findings that there are thousands threats of violence every workday.
One challenge in fighting workplace violence is the fact that about 43 percent of those threatened and 24 percent of those attacked at work do not report the incident, according to the Bureau of Labor Statistics. Lane said it’s important to conduct training and demonstrate to workers that your team is capable and prepared to respond to workplace violence issues.
Lane dispelled several common workplace violence myths, including the perception that most incidents come out of the blue. “These incidents don’t just happen spontaneously,” said Lane. “People work through a process—there is a pathway that people will pursue toward ultimately committing violence."
Some of the risk factors for workplace violence that Lane pointed out are paranoia, depression, and feelings of grievance. “People will rationalize in the workplace that others are out to get them…will ultimately have increased potential to commit violence.”
The process of evaluating an employee’s violence risk should be a fluid one, warned Lane, because in many cases, the evaluator won’t get the information he or she wants and needs. For example, it’s difficult and sometimes impossible to get accurate mental health and criminal histories. “Whatever type of a conclusion you draw as a team today about the risk that an individual presents is going to change probably before that day is over, especially if you’re doing your job and you’re trying to acquire more data.”
Ten years ago security professionals never imagined that everyday objects like airplanes, fertilizer, and the postal service could be used so effectively by terrorists. And perhaps no other country faces as many rapidly changing security challenges as Israel.
WEAPONS OF MASS DESTRUCTION
In a Monday session titled “Cutting-edge Security Development in Israel–Intensive Co-op and High-tech,” a senior advisor at the Israel Export Institute said the next great terrorism threat will be the unconventional weapon of mass destruction. “There is a lot of activity among terrorist organizations trying to obtain this type of weapon,” Major General David Tsur said.
He pointed to the Madrid train bombings as an example of the effectiveness of the suicide attack strategy. The attack prompted voters not to reelect the incumbent political party, and the new government pulled Spanish forces out of Iraq. Even though the bombing was not a huge terrorism attack in terms of casualties, “it became a strategic attack because of the influence on the government, which had to take actions and measures because of the public pressure.” He added: “It’s the most primitive weapon you can think about.”