Tuesday, December 18, 2012

What We Can Do NOW about school shootings

          I hate this subject. I hate listening to the self-proclaimed experts who rush to the microphones to roll out the predictable arguments on the predictable subjects. I hate having friends think I might be one of those media scavengers. With grandchildren the right age to be in Sandy Hook Elementary School, I hate even thinking through the incident.  It’s Christmas and those babies will never see Christmas Eve.  Can’t we just leave the children and the teachers and the families alone?
            No, I guess not. I have been working homeland security issues for 15 years. One of those issues has been school safety, where I spent several years looking at preparedness for and response to shootings at major universities. And I am getting calls from family and friends asking what we can do NOW about the problem.  So this advice is not about high capacity magazines, or mental health diagnoses, or anything else that will take months or years and a big political fight to put in place. This is about what can be done this week so your local school, or church, or meeting hall can be safer and feel safer (which is a major issue) next week. And it is in the form of questions so you can think through the solution on a LOCAL LEVEL. You don’t have to wait for a national solution to better protect your children now.
PLEASE NOTE: I am not second guessing the teachers and police at Sandy Hook. We still don’t know what happened. We are just trying to add layers of security right now while the danger of a copy-cat remains high. 

     1)      How can you better DETER mass murders? Through fear of failure. The losers who commit these acts can’t bear the thought of another failure. So a police car parked out front might help, or a community patrol in the parking lot (always reporting, never confronting). Branding matters, too. Many perpetrators seek fame, power and revenge. They want to be called “shooters” and “gunmen.” Deny them that. Killers like this one don’t “snap.” They plan methodically. So intervene during that planning, by reporting anyone who talks about taking such actions. And call the perpetrators what they are: Pathetic Losers.
     2)      How do you put more DISTANCE (both space and time) between the losers and the innocents? The Israelis increase security by expanding the perimeter – challenging people in the parking lot, not inside the terminal. Yes, you can do this with new fences, cameras, gates and metal detectors – all expensive. But again, community patrols could help – and they are free. The DHS sponsored Citizens Corps already helps create local teams with Neighborhood Watch, Volunteers in Police Service, Fire Corps, Community Emergency Response Teams, and Medical Reserve Corps. Tens of thousands of our citizens have been organized and trained – then wait for months or years for a call to duty. Many are retirees who can volunteer time and flexibility. We are not talking about armed patrols here. Just a 2 person team with a radio asking why a 20 year old guy in fatigues is carrying a duffle bag across the school parking lot could be a big help
     3)      How can you DETERMINE possible threats?  This one is hard. It requires confrontation, and that is not for unarmed volunteers.  If you really want increased security, at some point you will need more armed security patrols and on-scene response.  Somebody has to coordinate the volunteers, handle the communications and reports, and respond to problems –potentially well-armed and deadly problems.  This is not an additional job for overworked teachers and administrators. And one part time “resource officer” teaching DARE and discouraging gangs is not the answer. Even if the response team (and that is what it will take) is composed of retired officers or constables, it will be expensive. And not every school will be able to afford this. On the other hand, mass shootings have been at upper end schools, not inner city schools. So my advice is for communities to take the measures they think appropriate and can fund now – and let the courts and officials work out longer term solutions.  
4)      Once there is a shooting incident at a school or church or public gathering, how do you DISPERSE? Having worked this issue at a university, I know there is a big disagreement over what to do during a crisis. There might be multiple violent losers about. They might be in several places. They might be waiting for the halls or school yards to fill with students evacuating. They might have put bombs at the exits. So there is disagreement over whether to Run, Hide or Fight.  My personal take is that Fighting is out for grade school teachers and children. And moving targets are harder to hit than students trapped in a classroom. So I would plan to lock down for a violent loser outside, and disperse (as with a fire drill) from an active threat inside. Again, volunteer patrols with radios could be very valuable. But the point of this blog is to encourage people to think through the questions locally, not just take my advice.
5)      Now the hard nut of the issue – how to DEFEND? What follows will be controversial.  The military response to an ambush (and that’s what school mass murder approximates) is immediate violent counterattack, under the assumption that the assailants have carefully planned the attack, and only an immediate violent response can break their organization and counter their advantage. This is not the standard law enforcement response to “shots fired.” Officers may arrive immediately, but then they set up a perimeter, establish command and control, expand situational awareness, and await special teams. This is the correct response to domestic disputes, botched bank robberies, and other common situations where time is on the side of the police, and every minute that passes reduces the chances of further murders. But this is the wrong response to the planned, methodical massacre of six year olds trapped in a room where every moment’s delay means another murder. More trained officers on the scene more quickly, “marching to the sound of the guns,” is the solution. This will require more resources and a change in law enforcement culture.
6)      And finally, how to get these new concepts of preparedness and response right?  DRILL. You can’t get it right without getting it wrong first in practice. Plan, exercise your plan, correct your mistakes, start the cycle again. To repeat, this requires a security team – not just more duties for a struggling principal.

As I said at the top  – we don’t even know what happened at Sandy Hook yet. And from early reports, the administrators, teachers and police responded according to plan.  So this is not a criticism of them or a call to new national action. This is just a pointed response to a pointed question – what can we do NOW to make our local school safer against violent losers? So I offer some points to consider in trying to protect our children from the Thinking Enemies who threaten them. Please take these points in the constructive spirit with which they are offered.   God bless us every one.

Tuesday, December 4, 2012

Cyber Pearl Harbor

More than seven decades after the fact, Pearl Harbor still holds a special grip on the American psyche.  Other surprises have had a worse tactical impact. The North Korean attack in the summer of 1950 almost pushed the US out of South Korea, launched a war that became a tactical draw, and locked us into a Cold War struggle that lasted 40 years and cost trillions of dollars. Other surprises have had worse strategic implications. The discovery of Soviet nuclear missiles in Cuba pushed us to the brink of nuclear war. But none of the other military or diplomatic surprises we have suffered has left a sense of outrage, helplessness and betrayal as powerful as that occasioned by those images of US flagged dreadnaughts, helpless and burning, in our home waters.
And so the remarks of the Secretary of Defense take on a special meaning when he talks of the danger of a “Cyber Pearl Harbor” in America’s future. Here is what Secretary Panetta said to Business Executives for National Security earlier this year: “destructive cyber-terrorist attack[s] could virtually paralyze the nation . . . They could, for example, derail passenger trains or even more dangerous, derail trains loaded with lethal chemicals. They could contaminate the water supply in major cities or shutdown the power grid across large parts of the country . . .  disable or degrade critical military systems and communication networks . . . The collective result of these kinds of attacks could be a cyber Pearl Harbor." http://www.defense.gov/transcripts/transcript.aspx?transcriptid=5136  .
But a cyber attack is not the same thing as a broad devastating physical attack (as with a nuclear weapon). Disruption might be great, but actual death and destruction would probably be minimal. And most of the critical infrastructure involved could eventually be repaired and returned to use. This has caused some critics to doubt the Pearl Harbor comparison. (for example, see John Arquilla at http://www.foreignpolicy.com/articles/2012/11/19/panettas_wrong_about_a_cyber_pearl_harbor  )
I think this criticism misses the nature and intent of the original Pearl Harbor attack. And so a short strategic review is in order. Starting in 1904.
Set on expanding their power in the Pacific, the Japanese decided to focus on Russian holdings in Manchuria. They first launched an attack on the Russian Pacific fleet at anchor at Port Arthur (in February of 1904 during diplomatic negotiations). After land and sea battles lasting more than a year in what we now call the Russo-Japanese War, the Russians sent their Baltic Fleet wheezing around Africa and across the Indian and Pacific Oceans, only to be almost entirely destroyed by the Japanese Fleet in the Battle of the Tsushima Straits. Unwilling to pay more for holdings so far from home, the Russians withdrew and accepted the new reality of Japan as a Pacific power.
The implications for the Japanese decision to attack Pearl Harbor 37 years later are obvious.  Their hope was not to destroy America, or even destroy American military power forever – but to present the Americans with a dilemma so expensive that they would accede to the Japanese intent. Could they hurt us so badly that we would pull back from threatening the Greater East Asia Co-Prosperity Sphere? Thus, the Pearl Harbor attack was, as Clausewitz famously said of all war, “the continuation of policy by other means.”
This is an important lesson to remember as we begin to banter about “Cyber War” as though we really understood its implications. Japan was wrong about the US will in 1941. But Pearl Harbor might have worked somewhere else sometime else against somebody else.
The goal of a cyber attack would presumably be the same. Catch us unawares and take out an element of critical infrastructure (electricity, water, banking and finance, petrochemicals, air travel, military response) in a way that inflicts enough pain to make the US reconsider a course of action. That happened to Estonia. It happened to Georgia (coupled with a ground attack). It has happened most recently to Israel. A Cyber Pearl Harbor need not be about destroying everything everywhere for all time. It could just be about destroying enough to influence our decisions and our power in the world. It might be, in the words of the Sec Def, ”an attack that would . . .  paralyze and shock the nation and create a new, profound sense of vulnerability.”
That is something worth worrying about. And worth acting to prevent.

Sunday, November 25, 2012

Solving Cyber Security

I am usually a fan of Heritage Foundation products. So it is with regret that I disagree with their argument that “information sharing” will solve the problem of national level threats to cyber security.  (http://blog.heritage.org/2012/11/15/cybersecurity-act-of-2012-defeated-but-a-similarly-flawed-executive-order-is-around-the-corner/ ). However, my 15 years of teaching and writing in homeland security convince me they are wrong. Here’s why.
Many people think of a computer like a telephone. You use it to connect to only those you want to talk to. Not so.
Unless you actively intervene, when you connect to the internet, your computer is potentially connected to every other computer in the world. Your friend’s computer, your bank’s computer, the Russian mob’s computer – every one can call you and listen in, whether you know it or not. It is like living in a house without walls. Unless you put up curtains, everyone can see what you are typing, sending, and filing on your computer. And everyone who you contact needs curtains, else the computer at your doctor, your bank, the credit card company, etc. are all subject to having their information (which now includes your information) compromised as well. Unless you all put up walls, outsiders can even hijack your computer to use it as a weapon against others, or they can use someone else’s computer against you – all without your knowledge.  In fact, without special protection, every computer connected to the internet – at hospitals, chemical plants, police stations, airports, nuclear power plants – every one is open to attack and hijack. This threatens the entire nation, not just you and your personal computer.
Remember, the internet was designed to let a few trusted military stations communicate during a nuclear war. Security was provided by controlling access to the few computers available, and the few connections that linked them. Now, with a much expanded internet and no security features designed in from the start, security against attack must be added on, like a roof rack and trailer hitch added to a sports car. And that’s not easy, because the whole idea of the internet it to connect quickly and smoothly to many other computers.
So the security measures you apply – that everyone applies -- must be able to recognize quickly innocent computers and “open the door,” while instantly identifying malevolent computers and shutting them out. Meanwhile, this challenge changes constantly – many times a day – as attackers routinely develop new ways to use the doors you must open in the course of normal internet operations.
Meeting this challenge is difficult and expensive, and nobody wants to pay the price in time and money. This is true of individuals, who rarely know exactly what to do to fully protect their computers. It is true of government, where small budgets and long procurement times almost always produce outdated systems with outdated protection schemes. And it is especially true of business, where security is perceived as all cost while creating no new profit.
Now the situation is becoming critical with vulnerabilities mounting to the point that the Secretary of Defense has a warned of a “Cyber Pearl Harbor” which might cripple the nation as a whole.
What to do? How to ensure people and organizations improve their security daily as threats mount?
Some are pressing for government mandated standards, and centralized government power to monitor who is meeting the standards and punish those who don’t. Heritage rejects this as a sole solution, and so do I – plodding traditional government bureaucracies alone just can’t keep up with the changing means of attack.
But Heritage and some others think voluntary “information sharing” will be enough to encourage everybody to protect themselves (and you and the nation in the process).  I don’t. Experience is clear– most people, most agencies and most businesses simply will not learn what needs to be done, pay for it, and do it, unless there is some direct reward for being good, or direct penalty for being bad. Voluntary compliance on something so important poses an extraordinary risk.
And so the solution is . . . well . . . some experts say the only solution is to rebuild the internet from scratch, incorporating security from the ground up.  Good luck with that.
Before I offer my solution to patrolling the information highway, let’s consider how we reached an acceptable level of security on the real automotive highways we all use every day.
Automobile use began with maximum freedom – design anything you want, go anywhere you want, use any driver you want. No headlights, no safety glass, no car seats for children, no licenses for drivers. Everybody just cooperate and share information on auto safety. Result:  mayhem, injury and death – and excessive hazards to ourselves and others.
Eventually, however, we ended up with a system that combined essential government regulation with a reasonable amount of freedom. Today we accept design regulations, speed limits, drivers licenses, safety inspections, etc., but within those rules we drive when and where we want. How did we reach this balance? How did we arrive at a system where my neighbor is allowed a reasonable degree of freedom in using a tool that can threaten my life, and yet we all stay reasonably safe?
Answer: through a system that includes reasonable government regulations, fines and penalties for violating those regulations, and stiff civil judgments against those who ignore the regulations and cause harm to others. Individual freedom balanced by both civil and judicial punishment for those who act irresponsibly.
Perhaps this is not a bad way to think about how we are going to control traffic and irresponsible drivers on the information highway. Not government over control. Not libertarian bumper cars with public safety and security at risk. But a balance of rights and responsibilities, bounded by minimum safety regulations, punishments for violation of those regulations, and civil penalties for damages inflicted on others. 
Drivers Ed anyone?

Friday, November 16, 2012

Getting it Wrong Next Time: Sandy, Leadership and the Press

     The poor response to Hurricane Sandy is more than a national disaster.  It is a national disgrace.
     Tens of thousands of American citizens were still sitting in cold, dark, wet, ruined houses weeks after the storm passed through. This hurricane was not “unthinkable” as the Governor of New Jersey said. It was anticipated years ago and its impacts detailed by DHS as one of “15 National Planning Scenarios.”
You can read a brief summary of the predictions for a Category 5 storm (Hurricane Sandy was only a Cat 1) at http://www.globalsecurity.org/security/library/report/2004/hsc-planning-scenarios-jul04_10.htm . DHS, FEMA, Emergency Managers, and Federal, State and Local Officials should have been thinking about this, talking about this, planning for this, and exercising their plans for years.  Instead they blew off these responsibilities and focused on what they wanted to focus on -- lesser issues they know how to manage -- challenges that let them be in charge and distribute the money without revealing their inability to deal with what the head of FEMA has called a “Maximum of Maximums” event.  The press should be all over this. Instead, all the guilty are off the hook. There are several reasons why:
- Press resources were spread thin between the election and the storm. The A Team was on the campaign trail and that is where the producers focused. So national networks depended on local reporters and stations to cover the story – and they focused very locally. Nobody told the story of whole storm and whole disaster as a whole.
- The story was hard to cover. The storm came ashore at night reducing the dramatic pictures - and the viewing audience. It produced thousands of road blocks making travel difficult. And there were few dramatic rescues. It is easy to take a picture of people on a roof. It is hard to capture cold children in a dark, wet house.
- The press really did not want to damage President Obama in a tight election. They harped on the hug between Governor Christy and the President, but touched lightly the bewildered citizens looking for food and warmth.
- The press really did not - and does not - understand this story. They are focused on gas lines, shelters and blanket distribution. They should be focused on response plans and coordination between jurisdictions. They do not know enough to question the proper use of NIMS (National Incident Management System). They fault FEMA and the Red Cross without asking “where are the local officials FEMA and the Red Cross are supposed to coordinate with?” They never heard of the 15 National Scenarios and do not recognize the collapse of DHS’s vaunted "Whole of Community" response. They do not see how political inattention crippled infrastructure over time and made repairing that fragile infrastructure difficult.
- The press has missed the story about the struggle between National Security and Public Safety -- between Emergency Managers and Security Professionals -- for the soul of homeland security. They do not know that the crimped vision of local Emergency Management  has won out, so there are no real national standards for measuring local preparedness. The losers in this struggle, as we see on TV, are the citizens.
            - The press really does not understand that top leaders (federal, state, and local) had the opportunity to prepare for exactly this problem and threw it away. Here is the question the press should be asking: “National guidance says state and local government should have been ready for an event like Sandy. When is the last time you and your staff exercised your plans for response and recovery on this scale?” We all know the answer. I would like to hear elected officials  say it out loud.
- And finally -- much of what Katrina wiped out was in such bad shape that it could hardly be called infrastructure. And most of the people directly impacted moved (to Houston, Dallas, Los Angeles, etc.). You could take time for recovery, because the homes and business were largely abandoned. But the damaged parts of NY and NJ are densely populated with functioning neighborhoods and Critical Infrastructure important to the nation as a whole. The residents want to stay during the rebuilding. How do you recover, while the people stay in place?  This is not easy. It requires planning and preparation which federal, state and local leaders, liberal and conservative, did not do.
The press is not calling these leaders to account for these failures. And so the next time we face a terrible but fully anticipated disaster, we can expect more of the same.