OPINION: Panic is the New Normal, America

The last few weeks have been an interesting time in the world of security. We've seen the death of nine innocent lives at the hand of Dylann Roof, seen the panic derived from the unfounded speculation at events like the Navy Yard active shooter scare, and most recently, our nation has suffered an unimaginable blow at the hands of a young man who killed four Marines. In all of this, our discourse with one another has gotten more combative and often, bordering on nonsensical. People are allowing mass hysteria to justify an enormous amount of gross speculation and outright lies and misconceptions about security and mitigation to infiltrate our discussions about the things which provide protection. At times, I have found myself engaged in some of these discussions to only find myself more frustrated and wary from addressing the problems of allowing this mass hysteria to grow at the rate it has. In fact, here, I'd like to address what are the problems and what are some possible solutions.

Lately, it seems like I constantly rehash my favorite topic - the semantics of security. If you're not familiar, I'll digress and explain briefly. I look at security as a mental construct we use to nullify our fears long enough to meet certain life-sustainment activities. In other words, security is nothing more than the things we do to "feel" safe. When we practice "security", we're addressing what we think the adversary will do. Ironically, we do this often without ever seeing the bad actors in action. That's right. We lock doors and windows, primarily, because we believe bad guys will be turned away from locked doors. Time and time, we do this under the assumption bad guys don't pick us to steal from because the doors are locked. What this never accounts for is the determined adversary. Who is this? Someone who gives not a single iota about that locked door, only that it may delay him from gaining entry. What protects us from the bad guy is really something called mitigation.

Basically, mitigation is about dampening the effects of an attack. It recognizes the threat is real and will come eventually. It looks at the complete threat profile and determines its capabilities, opportunities, and motivations. By doing so, we can implement a comprehensive mitigation strategy that not only detects the adversary but possibly, deter, delay, and destroys him. Earlier, I mentioned locked doors. They aren't bad. In fact, those "secure" entry-points are a part of mitigation because they aid in detection, deterrence, and delaying further infiltration. Most novice security practitioners are unaware locks and doors are rated based on their ability to delay penetration. So what does this have to do with our current discussions on security?

Most of your average citizens promote ideas about security based on things they think will work. As someone who has done this kind of work, how many people have you encountered that don't do it but swear they get security? How many of their ideas are lofty, unrealistic, unfeasible, unsustainable, and just pure wrong? Whenever I talked with people about securing the homes, a common statement was "I already have security - it's called a *insert dog breed, gun caliber, or pretend-military/MMA status*". These folks assumed whatever that one thing they had would be adequate to address one kind of threat using one or two vectors. Some would argue one or two of those things will cover most threats to them. That may be true but it neglects other viable threats which may possess other capabilities that aren't countered.

The fix, in part, lies in how we think of the threat. Take the military recruitment center shootings. Loads of people have been saying for the last 48 hours, we should send military police to secure these facilities. They claim these guards would possess the skills and equipment needed to neutralize the threat. What's strange is that most of these people are only considering one type of threat before we even have a confirmed motive from the FBI.

Most believe banks with guards don't get robbed because the posted guard at the bank has a gun. A secret among many bankrobbers is most aren't armed. Bank policy, as is widely known, is to give up whatever money is designated by the bank for robberies to the robber. The bad guys know this and many don't want to jeopardize more time in prison by getting caught with a gun AND the cash. So they opt for the note. The reason they don't hit banks with guards is because the guard has a gun AND radio. A saying I was always fond of when I did security as a civilian was "You may outrun me but you'll never run faster than my radio". What most miss in the discussions about MPs at recruitment centers is that most profiled jihadi active shooters FULLY expect the police and do so expecting to be shot. Remember this - the Dalton gang and others robbed a many of banks and trains that had armed guards. All in all, armed guards only turn away less determined adversaries.

This work, called risk management, requires us to analyze the threat for what is, what it can do, the damage a successful attack can cause, and our mitigation. In the current FUD (fear, uncertainty, and doubt) environment we're in, there's a tendency to deify the adversary to a point where they are seemingly omnipotent and omnipresent. One successful attack and we're suddenly unsafe and at danger of losing everything. What's crazy is that it never acknowledges the connection between the mental construct of "security" vs protection. Is it no wonder, then that after one successful attack, we assume the sky is falling? It's as if the sanctity of safety we constructed our actions has blinded us to what is real and imagined in security. Naturally, we assume we need to do more to "feel" safe rather than fix, eliminate, or upgrade our existing mitigation. Additionally, the loss of human life is unacceptable for any security setting. Having his enemy lose one life, regardless if the shooter lives or dies, is considered a victory for some shooters. Given our intolerance to having personnel killed, this is not wholly untrue.

There are a number of solutions to our current security crisis. Some are good. Some are very good. Some are faulty. Some are flat-out dangerous and wrong. These attacks will only increase, as will the speculation about future attacks, hoaxes, and troubling events. Even more certain is we have to continue having the difficult discussions we're having. Nothing gets solved by having discourse with people who always agree. Ultimately, the solutions don't rest with the victors of our collective shouting matches. They lie in how we understand the threat, the risk they pose, our mitigation, and how we define "safe".

VIDEO: Folks, DON'T try ANY of this at home!!

I found this video on Facebook. The author, Idan Abolnik is a Krav Maga "expert" and former Golani unit member. While his bio is impressive, I'm not quite sure who has a range that will allow this or the risk acceptance he and his participants seemingly do. I caution you: DO NOT TRY THIS AT HOME!!!

Sun Tzu Quote of the Day

PICTURE: Picture Perfect Deterrent

OPINION: The Color of Legit

Be forewarned – this involves critical thinking:

The death of a childhood friend and subsequent similar homicides at the hands of criminals with guns in our inner cities has brought me a great amount of reflective pause about how we visualize the legitimacy of homicide victims. Seemingly, there is a great abundance of news headlines featuring homicides that have become all-too-familiar. The victims are usually young, African-American, and live in some of our most populated cities – places which used to be known for significant wealth and prosperity but now are a reflection of something much darker. Their assailants are also described as young, African-American, and from the inner-city. If we’re being specific, there’s also the added description of the homicide which usually “tells us all we need” – the murder was “gang-related”. Many times, our initial summation and often ill-informed analysis hinges on these circumstances. That “analysis” takes just under a few seconds but the power it conveys lasts a lifetime.

What’s most striking is in this internal discourse of legitimacy is not that we’re wrestling with the notion of whether the crime happened but whether the victims “deserved” to be killed and if so, whether a crime even occurred. Come on, admit it. How many times have you heard of a 16 year old kid in Chicago being murdered and saw the words “gang-related” in the article somewhere and thought “Figures”? Oh, you haven’t heard of those kinds of homicides before? No worries, we’ll cover that later.

This perception just doesn’t end with race. “Legit” victims have political parties, live in certain neighborhoods, and subscribe to our favorite religions. I’ll make a small wager – I could post the names of Chicago’s shooting deaths and won’t get near as many “retweets”, “favorites”, “shares”, or “likes” as I do when I post about cop deaths or guys in the military. Don’t get me wrong – I served in both capacities and those deaths were honorable and deserved being mentioned. That being said, what does it say about the value we place on human lives, when we feel certain deaths are worth more of our attention than others. Those officers died on those streets to stop crimes like those murders from happening, yet we’re astoundingly silent when it comes to remembering those dead. Why is that? Is there some part of us that can’t or won’t acknowledge a certain dark truth which is not “all lives matter”?

I was on the podcast, CovertContact not too long ago and somewhere in my rant there, you’ll probably notice I was very emphatic about something I feel will be a pressing national security issue soon. If we don’t embody what we preach which is “all lives do matter” in every fiber of our national fabric, then those who continue to feel devalued will act as those they and those who look just like them have no value. 

Sadly, the crisis we have growing exponentially doesn’t require me to furnish any statistics to make this point – the truth is all too apparent. That simple but very present reality is that unless victims match our skin color, go to our churches, believe in exactly the same things we do, and are willing to admit our supremacy on matters where we disagree, their lives are as meaningless as those “retweets”, “favorites”, “likes”, and “shares” I mentioned before. This is not a crisis we should crave or even begin to think we’re adequately prepared for. Care not because their lives matter but care because all lives truly do matter.

RIP Danny Williams, 29 years old, college graduate, Christian, father, son, brother, cousin, and loyal friend.

OPINION: Why Security Is Killing Risk Management

   For more than a little while, I have been writing quite a bit about the difference between security and mitigation. In that time, the United States has been riddled with numerous security breaches in both the physical and cyber realms. Whether they were riots over allegations of police brutality or breached firewalls protecting sensitive data, our headlines seem to allude to a failing state of security.
 
   As a professional who is on social media quite a bit, I have witnessed, firsthand the hysteria surrounding these incidents. Every attack seems to be tweeted or blogged about to a point bordering on obsession. To be honest, I could not be more enthralled. Sure, these events are quite insightful for practitioners wherein we learn how to defend against similar attacks in the future or conduct them ourselves. But that’s not what excites me. No. I’m thrilled to see events which demonstrate the connection between the psychology behind security, the illusion of protection it provides, and how our confusion about the differences between security and mitigation has created our current security crisis.

Security vs Mitigation

   In order to understand how security is killing risk management, let’s go over a few key terms. First, as stated before, security is nothing more than a psychological construct to provide us with the assurance that we’ve done everything possible to keep us safe from various threats. Humans are very fearful of their demise and naturally, see threats to their survival as intolerable. Often, this feeling of security comes from repeating “safe” behaviors and providing what we assume are adequate protection measures. This, as we all know, is often based on untested data and the myth wherein victims can think in much the same way as their assailants.
 
   Protection is what we do proactively to deter, deter, delay, and destroy attackers, through mitigation. A great example is an executive protection detail. No successful detail operates on the assumption they can prevent attacks. Everything they do is with respect to the attack happening. This is what makes them very good at what they do and why so many in this field go on to become successful throughout the security industry.

   Security, as we know it, is often done with the mindset victims can prevent attacks. For example, we lock doors because we assume they will deny an adversary entry. What we fail to grasp is that the lock is there to delay the attacker so natural observers or victims can have sufficient time to detect the attack and take action. Many victims enter into a mindset where a locked door is all they require to be safe, without sufficiently comprehending the scope of the adversary’s capabilities and the target’s inadequate mitigation tools. Knowing the difference between security and mitigation is a great start to understanding the importance of risk management over just feeling safe. Heck. It’s the key to it.

The Important and Not-So Subtle Difference Between Threats and Vulnerabilities

   Speaking of risk management, there are a few other terms I think we should cover. Risk management has two fundamental keystones - threats and vulnerabilities. Often, we confuse threats with vulnerabilities in ways we don’t catch always. For example, I’ve seen people react to discovering a vulnerability as being one of the worst security events. This couldn’t be further from the truth. In fact, I find knowing there are areas where a potential bad guy can exploit to enable their attack to be quite insightful. Sure, we like to catch these vulnerabilities before an attack but that’s not always the case. What’s our insurance policy for such attacks? Planning ahead as if it’s already going to happen. What do we call that? Oh, that’s right - mitigation. Threats are merely bad actors who use vulnerabilities to conduct kinetic operations against their targets.

   Sometimes, I feel as if we forget that catching bad guys is the goal of effective protection measures. The threat will come and you should be prepared long before they do. You could plug every hole you can find but ultimately, as I heard throughout my military career, “the enemy gets a vote”. He will find a way in, inevitably, that you will miss. You should plan as though Murphy’s law is actually true. Often, no matter what you do, you may not catch the bad actors. This leaves you with having to take away as much power from the enemy’s punch as possible. Whether you’re reinforcing concrete or hardening firewalls, the premise is the same - if you can’t beat ‘em, make it hard as heck for them by shoring up existing vulnerabilities and anticipating the impending attack.

   Perhaps, two of the most important and misunderstood terms in risk management are probability vs possibility. I see you over there laughing. If you are, then you probably know exactly why this is such a pet-peeve of mine. With every major security event, there’s always someone on social media who declares “the end is nigh”. They begin rattling off how bad the breach was and then end by telling you how bad it’s going to get. Very few times, do you actually receive any sort of mitigation advice. If you’ve been following me since the now-infamous OPM hack, you’ve no doubt heard me prattle about this.

   Most of the consternation about the state of security is centered around our confusion between probability and possibility. This was perfectly illustrated by a not-so recent story about the Islamic State capturing an airbase which had a few MiGs. Immediately, social media erupted with reports and predictions about ISIS flying MiGs very soon. If you know anything about training modern pilots and how the U.S. conducts targeting operations, you know this is not likely to happen. In other words, the probability of MiGs flying over ISIS territory is very small. Sure, it’s possible but not likely. A reality star who isn’t a narcissist is possible but not very probable. This is important to remember because security measures often fail based on how possible something is rather than it’s probability. Countless resources are expended on something that is not likely, while we ignore the threats we encounter daily. Successful security organizations employ measures based on a balance struck between a high probability of attacks happening always and the needs of the end-users.

Protect Yourself By Understanding Your Risks

   Risk management is nothing more than understanding what you have, whether you can lose it, who or what could take it from you, and what it will take to get it back or recover from its loss. In essence, risk management is nothing but acting proactively against a probable threat and ensuring you’re able to protect and if need be, recover from its loss or damage. The problem is, if social media is any indicator, many companies and organizations don’t do this. Again, let’s briefly discuss the OPM hack. I saw the eyeroll. I know we don’t have all the facts. I get that. I digress.

   OPM was allegedly hacked by attackers who stole sensitive data on federal employees. This is, understandably, big news. As it should be. The attackers were able to gain the information by attacking non-patched Department of Interior servers. The information, according to folks formerly in the intelligence community, is extremely valuable counterintelligence information and compromise is completely unacceptable. What’s striking is, as I have noted on Twitter, the servers were connected to the Internet and vulnerable to outside attackers. Yet, neither OPM or the Department of Interior bothered to patch the servers or encrypt their data. They, presumably, thought the threat of attack was minimal and did not require adequate mitigation. Imagine the likelihood of uproar had they just simply encrypted the data they stored. The government did everything I said earlier not to do.

   So what’s the answer? Simply, don’t do security but do mitigation. Being proactive with protecting yourself and your assets doesn’t require hiring Blackwater/Xe to track down Chinese hackers before they strike. No. Tailor your protection to what you will do when the attack occurs, the mission and goal of protection (detect, deter, delay, and destroy attackers), and what it will take to recover from the attack. Balance your measures between the likely or probable threats versus those that are possible but not highly likely. Before venturing off into the great abyss of security’s greatest enablers (fear, uncertainty, and doubt), I implore you to “see the light” and find the “truth” in mitigation through risk management.

'WWYD': Security Guard Gets Too Personal by ABC News

Our hidden cameras are rolling at the "Bethenny" show as a security guard takes things too far.

Killings in Somalia | Documentary | HD 50 min by Carlo Picar

Killings in Somalia | Documentary | HD 50 min Somalia's president says he "wants answers" from South Africa after the brutal murder of a Somali man in Port Elizabeth, Al Jazeera has learned. The Somali man, 25-year-old Abdi Nasir Mahmoud Good, was stoned to death on May 30 by a mob. The violence was captured on a mobile phone and shared on the internet. Sheik Mohammed, Somalia's president, called on his South African counterpart Jacob Zuma to "act immediately" to arrest those responsible. Kamal Gutale, chief of staff in the Somali presidency, told Al Jazeera on Monday: "The president has asked Mr Zuma and his foreign minister to look into the matter and investigate the brutal killing and violence." The murder is the latest in a number of attacks on Somali immigrants in South Africa. Police are investigating the death but no one has been arrested. Graphic footage The Somali presidency said the issue was raised on the sidelines of the Tokyo International Conference on African Development (TICAD) in Tokyo on Sunday, after the Somali community was hit by a series of attacks in South Africa over the last week. The graphic footage shows the bare-chested Good lying in the middle of a street while a mob pelts him with rocks and boulders as pedestrians and vehicles pass by. Local media said Good was attacked while trying to protect his shop from looters. He was also stabbed in the violence. The Somali community in South Africa, which numbers a few hundred thousand, reacted with outrage. The Somali Association of South Africa (SASA) told Al Jazeera that at least five other Somalis have been injured and about 40 shops have been looted in the four provinces across the country. Government inaction "At the time, President Zuma was not aware of the incident and expressed surprise," Gutale said. The South African president promised to look into the matter, he said. But SASA said that the South African government has repeatedly failed to act on this and previous attacks on foreigners. "This is not the first time; this is happening over and over again. The South African government is not taking action, the community is angry and every time this happens, nothing is ever done," said SASA spokesman Ismaeel Abdi Adan. The South African presidency was unavailable to comment. The African Centre for Migration and Society at Witwatersrand University in Johannesburg, said in a report released in 2012 that Somali-run businesses suffered disproportionately from crime, including attacks by competing South African traders. The South African government has said that previous violence against foreigners was a result of criminality and not xenophobia. In 2008, more than 50 foreign African nationals were killed in a spate of violence against foreign nationals across the country. To Learn More about the killings in Somalia: http://ift.tt/13gcu7Y Two UN workers killed in Somalia, Al Shabaab spokesman "welcome killings": Read more at: http://ift.tt/1D9npn7 Subscribe to my channel: http://ift.tt/1D9nsiT Check out my portfolio website: http://ift.tt/1HZQ6TW Check out my photography website: http://ift.tt/1JcAiNY

VIDEO: Al Jazeera Investigates - Inside Kenya's Death Squads by Al Jazeera English

via IFTTT

OPINION: How The Shooting In Sweden Teaches Us Trust Is A Must In Security

Last night, there was a shooting which occurred in one of Sweden's suburbs involving AK-47s and innocent people being shot with two or more being brutally murdered. Within the initial moments of the rest of the Western world being notified of this tragedy, a great many of people on social media immediately began to elaborate if this was the work of Islamist terrorists, despite the police saying otherwise. The police spokesman, Ulla Brehm is quoted as saying, "The shooting happened in an area of the city with a history of gang-related violence." The media has also attributed the spokesman as saying it was "too early to speculate on the motive but said there were indications that the shooting was gang-related....There is absolutely nothing that indicates terrorism.”

As many of you know, I have experience in criminal investigations. While I won't touch on how I'd investigate this, what I would like to do is share some insight into these preliminary and often-wrong "guesstimates" and how they damage our credibility as security professionals.

1. These "guesstimates are usually wrong. VERY wrong and miss a lot of key facts in the weird calculus that creates them. A few people I spoke with, last night, said the attacks were the work of Islamist terrorists. What's strange about that is the police NEVER EVER provided the public with ANY suspect descriptions and NO known terrorist group nor the "operators" claimed ANY responsibility, yet many people seem to be very certain this is the work of jihadists. I surmise this is the result of a spate of terrorist attacks involving guns in Western countries and our natural inclination to see correlation and make connections that may not be there.
   
   Another key fact missing is the lack of burning vehicles described in independent or eyewitness accounts, despite several on social media claiming this was the case. Many even used this mythology to explain their hypothesis that this was the work of Islamists. Perhaps, you missed that; so I'll repeat it: THERE WAS NEVER A SINGLE CORROBORATED ACCOUNT OF BURNING VEHICLES BUT MANY AMERICANS REPORTED THERE WERE AND THIS POINTED TO ISLAMISTS. In fact, those burning cars happened weeks ago. I know that sounds like terrible analytical practice, at worse. That's because it is, at best.
2. Contrary to what many believe, there's always more than meets the eye. I'm a serious fan of Transformers. If you didn't get the reference, there's not much I can do for you. Just kidding. No. Seriously, nothing. I digress.
   
   Many on social media either simply ignored potentially exculpatory evidence or were so eager for this to be the work of terrorists they missed a key component: growing and escalating gang violence in Sweden and throughout Western Europe. That's right, folks. Sweden has gangs and many are armed to the teeth. In fact, not too long ago, Swedish media reported a gang fired "machine guns" at a police station. There's a fallacy that "gun crime" akin to what we see in America only happens in America and that only certain "guns" are the weapons of known terrorist or guerrilla groups. However; a cursory examination of Swedish media shows the AK-47 is VERY prevalent in certain violent crimes.
   
   The British newspaper, The Guardian reported, "There have been dozens of shootings involving criminal gangs in Gothenburg, many of them in the Biskopsgaarden area - a housing estate with a large immigrant population and high unemployment - in recent years, however fatalities are relatively rare.
   
   A man was shot dead in an apartment in the area in May last year and two others died in suspected gang-related shootings in late 2013.
   
   In January a man was shot in the leg close to the scene of Wednesday’s shooting."
   
   The video below shows such a "typical" crime with an AK-47 occurring in Sweden.
   
   
   
   There are some who will point out that many of these gangs are "Muslim youth gangs". What's striking is this ignores the existence of any corroborative and objective evidence which makes the case these gangs are "Islamic". Many are comprised of members who are young immigrants from predominately Muslim countries. However; until one of these gangs expresses some sort of jihadist ideology, they're just criminal gangs. Sweden's has a burgeoning and rapidly expanding organized crime network not always on the radar of its Western neighbors. Many of these non-Muslim gangs have had quite a history of death and mayhem in their wake. Check out what the Hells Angels have been up to there:
   
   http://www.thelocal.se/20121028/44096
   
   And..here:
   
   http://www.thelocal.se/20101008/29510
   
   Here's a list of other gangs:
1. Albanian mafia
2. Bandidos Motorcycle Club
3. Black Cobra (gang)
4. Brödraskapet
5. Fucked For Life
6. Hammerskins
7. Hells Angels
8. Naserligan
9. Original Gangsters (gang)
10. Outlaws Motorcycle Club
11. Sala gang
12. Serb mafia in Scandinavia
3. Bad theories based on bad or missing facts diminish our credibility and the public's trust in our field. Many Americans don't "get" security and they rely on a variety of "trusted" sources to assist them in making decisions regarding security. Some of these sources are objective and reliable. Many are not. Social media is wrought with both kinds. Unfortunately, many, as we've discussed before, are biased and too eager to share faulty theories. How many times can we afford to make predictions and analysis that is blatantly wrong or follows bad analytical practices before our entire industry is treated in the same dangerous fashion as TV meteorologists who give dire storm warnings but are ignored. Like every storm, I find more and more people making security-related decisions based on the idea that anyone can "do" security. 

I expressed no theories here regarding potential motives or suspects because I don't have all of the facts. This could be the work of Islamist terrorists. Sweden has had two terrorist plots foiled recently. Sweden is also currently at odds with Saudi Arabia and the UAE. They've also "outed" a number of Russian spies and have seen an increase in Russian "aggression" and posturing. That being said, at the end of the day, this was a murder that took place at 4 o'clock in the morning in Sweden. The cops have the advantage of having a look at evidence long before the public does. Perhaps, as academics and practitioners, we should keep our hypotheses regarding motive and suspects to ourselves, until we learn more. In an era of rapid-fire tweeting and hashtag punditry rife with inaccuracies, our industry and the public could use our silence and restraint at times likes these.

OPINION: What Mrs. Clinton's Email Problems Can Teach Us About Security

"Msc2011 dett-clinton 0298" by Harald Dettenborn. Licensed under CC BY 3.0 de via Wikimedia Commons.

Over the last two weeks, we’ve been inundated with emails and presidential candidates. I won’t spend a lot of time talking about Mrs. Clinton and what her emails may or may not contain. I could spend an entire series of blog posts on that topic. However, there are some very interesting insights this story gives us into how we perceive what security is, where we feel most secure, and whether any of that makes us more secure.

So let’s begin our discussion: NOTE: I’m no hacker or IT-guru. I’m a guy who blogs and who has a ton of opinions on this stuff. However; I’m also someone who has worked with senior-level persons and I understand how some of these components work. By no means are my opinions facts but merely points to consider.

1.  Security is about convenience over protection. Remember when I said “security is about peace of mind”. Mrs. Clinton decided it would be more “convenient” to send her emails (personal and professional) through a single server which she owned. Why? She reasoned, because her government-issued Blackberry could not hold more than one email account, it would be better to have a single account. Many users, especially government users, bypass existing security protocols and do and have done exactly this (except many don’t have servers at home). Does this make it right? No. The government has policies in place that state this is bad security practice and a violation of certain public records laws. Yet, ask any security professional how many times they’ve witnessed an end-user potentially compromise protective measures through circumvention out of convenience and you’ll note immediately how much their eyes roll.
2. Just because a senior-level government official is discussing something doesn’t make it “classified information”. There’s been a massive amount of speculation on the kind of information any investigation would turn up on Mrs. Clinton’s servers. Like I said, I won’t attempt to go into that. However; let’s address why we perceive there would be classified information and whether that’s likely. Sure, being Secretary of State entails having access to some of our nation’s greatest secrets. The job requires it. Some of that information is considered “classified” and others not-so-much. When pieced together with other information or on its own, that material could be extremely sensitive. The very nature of the potential discussions Mrs. Clinton could have had over emails has created a great amount of concern – as it should.
   
   Senior leaders are given amenities like secure telephone and other communication lines in their homes and offices to facilitate these kinds of sensitive discussions with “cleared” persons. In fact, during ASIS 2014, I had the great honor and privilege to hear Colin Powell speak about his time as Secretary of State. General(r) Powell recalled his final days in Mrs. Clinton’s old job and the day the Diplomatic Security Service agents assigned to him and the information technology staff left his residence while removing his secure lines from his home on his last remaining day. It should be noted Mrs. Clinton should have had the same amenities extended. As such, I’d be curious if the Internet service her server accessed did so via government-installed communication lines or privately-owned and installed lines. I digress, given the nature of what could have been discussed; it should give security practitioners who advise senior leaders on protective measures pause.
3. Government computers and services are NOT intrinsically more secure. These last two weeks, the deluge of speculation, regarding the security of Mrs. Clinton’s email traffic being more secure had it been through government servers, has been extreme. Seriously, have we forgotten about a number of breaches on government email and sites in the past few years? We’ve caught hackers breaking into NASA, NSA, the State Department, and the Pentagon computers. Where most of this confusion comes from is not quite understanding what having your emails on a government server entails versus what a private (or as widely-and-annoyingly termed this week “homebrew”) server does. People hear “government server” and they immediately conjure up an image of a secure server with loads of encryption which would require a team of seasoned hackers to compromise. In fact, while watching a cartoon the other day with my son, a character brags “I hacked NORAD when I was six”. Hacking into these systems should be a big deal because they are. However; they are not invincible to the same kinds of human security failures and poor security mindset when they’re designed and implemented as their commercial partners. 
   
   Your government email service can easily be hacked in the same way your private email can. Lose your credentials to log into a government computer without noticing and use a password or PIN that is easily guessed. Sadly, that happens more times than many outside of government service would ever be willing to admit. A government server does bring one thing a private server does not always – the full extent of your government agency’s information technology team, most of whom are the best and brightest at what they do and who defeat a variety of threats constantly. In other words, when a breach occurs, this team can respond immediately and use the weight of the government to mitigate the breach. Mrs. Clinton knew this, yet felt she and her staff could do better. Given what little we know of what could have been breached or whether a breach even occurred, this could have been true. That being said, it doesn’t make any of her decisions right.
4. The extent of how much protection to provide sensitive information disclosure is not up to the user but those who have the designated expertise within the organization. Mrs. Clinton, while acting as Secretary of State, had every right to make her own determinations regarding how her agency would protect sensitive information to some extent. That did not provide her with any right to decide, without consultation or coordination with her information security staff at the State Department, to forego policies she enforced on her subordinates. It is highly doubtful Mrs. Clinton would have absolved a junior-level employee who would have been caught in a sensitive information breach from their personal email account. No, we all know she would have directed her staff to punish them. However; the implied arrogance to believe you can enforce one security policy meant to mitigate vulnerabilities and lessen risk while ignoring your own failure in abiding by those very decrees, is striking, to be honest.
5. Politics obscures our ability to ascertain the more important security issues in crises like these. Mrs. Clinton’s enemies are clamoring to be the first one to hand her an indictment or hold her letter detailing her retirement from politics. While that is unlikely, it seems to be a centerpiece in most political discussions regarding the emails. Most of this is centered around the potential for classified information being on the servers. Again, this is unlikely, given we still have zero clue about what’s on the server.
   
   What have not been discussed are the very relevant questions pertaining to total protection and mitigation. No one has addressed to any significant degree whether Mrs. Clinton is the only Cabinet member to have done this (she isn’t) and whether she received advice from her designated State Department IT staff (I’m betting she didn’t and relied on her political staff’s IT department who are not government employees). I’d also be curious whether the Secret Service devotes any time to protecting their protectees online as well (doubtful and perhaps an area to pursue). How many people had access to her server? At what level were they cleared? This is important because in order to read unclassified emails which contain “For Official Use Only” you need to be a “cleared” employee. Very few people are asking these questions but should.

Does any of this make us safer now that we know? In some ways? Yes. In others? No. Mrs. Clinton’s emails crisis occurred for a variety of reasons. Many of those were aggravated because she is a political entity at her core. She may have felt as though having a server she owned she was more “secure” from some threats of the political variety. While it is always good to protect yourself from threats, one should not forget the more likely and persistent threats which are present because of the job you hold. She lost sight of that and ultimately forwent some very sound security practices. Then again, she may have well had a number of mitigation measures in-place. Unfortunately, we may never know what they were and thus remain a bit unsure of our protection.

Murphy Is In Full-Effect

There's an old adage - "If it can go wrong, it will go wrong." This week, I've had my basement flood, work pile up to my eyebrows, midterms, and WordPress (previous blogging platform) caused a fatal and unrecoverable error for my blog. Luckily, I maintain a copy for posterity and mostly, because I always figured this could happen. For the delay and confusion this has caused my very loyal readers, I'm extremely sorry. The Security Dialogue is back, though. While I get everything back to the quality you richly deserve and provide the content I know you enjoy, I'll be posting some new articles and possibly more from the podcast, The GateShack. As I tell my son, "Sit back, relax, and enjoy the ride."

Insight: How The Day I Almost Shot Someone Is Shaping Me As A Security Practitioner

Trucks go through the Mobile Vehicle and Cargo Inspection System at Camp Navistar, Kuwait. (Source: US Army)

What I’m about to write is something I share no glory writing. In fact, what I’m about to tell you is something few people have heard me tell and no one until now understands why it’s such an important experience in my life.

Let me begin by going over briefly my military background up until this experience. I joined the Air Force in 2000 and enlisted in a category known as “open general”. I qualified for any job I wanted but I only desired to be a fireman. Unfortunately, I wasn’t picked for that assignment. I was selected for a career-field in the Air Force known as Security Forces (SF). Basically, I was the classic military policeman in my early years – I checked IDs at the gate, responded to various law enforcement calls for service, emergency response, base security, etc. In 2002, I was deployed to Kuwait for the first time. It was an interesting and perilous time to be there. We’d been deployed to provide air base defense, in case the Iraqis wanted to start the war before we did. Essentially, I protected planes, pilots, and maintainers so our aircraft could kill Sadaam and his men. Pretty cool, huh? Not really. It was boring with some excitement in between. However, my second deployment was somewhat more perilous not because of Sadaam but from insurgents in Iraq and is the setting of the experience I want to talk about.

In most cases, when I deployed in SF, I and the folks I was with were euphemistically called “REMFs”. Pardon the crassness of the translation – rear echelon moth-*insert bad words*. In other words, while everyone else fought the war in Iraq, my unit was in the relative safety of the “rear”. We were trained to expect bad guys at every turn but the sad reality is very few times did the bad guys show up to engage us.

On this second deployment, our mission was somewhat ambiguous. We’d deployed to support air base defense missions for Operation Iraqi Freedom in whatever way the Air Force saw fit. If you know military deployments, you know what that means – no one knew what to do with us and so we were wrought to be abused and we were. One assignment we were given was to inspect vehicles coming into and out of Kuwait and Iraq on the Kuwaiti side of the border.

One fateful day, my lieutenant grabbed a group of us and ordered us to help a returning Army convoy get through a Kuwaiti roadway. We were each placed at various intersections, mostly by ourselves. Yeah. I know. Translation: we were armed crossing guards for big trucks coming home after being blown up. The job sucked as much as it sounds. As I stood in the middle of a Kuwaiti road contemplating what I had done to deserve this ungodly punishment, an Army officer came to my position and shouted “Make sure NO ONE comes through this area. NO ONE! Have you done this before?” I answered “Not quite.” I was lying. I had never stood in the middle of a road in another country to protect a bunch of trucks from getting T-boned by vehicles they could have run over and not have noticed. He shouted back, “Look, if you see a car, start putting your hand in the air and shouting for them to stop. By the way, hold your fingers pursed together and shout (insert Arabic word for “stop”).” Sounds like a plan. I do what he says and the cars will stop. Yeah. Not quite.

An hour passed and no vehicles. As soon as I grabbed my radio to check on the status of the convoy, I saw it – a vehicle I’ll never forget for as long as I live. It was a brown Mercedes S-class sedan. It was a few hundred feet away. I immediately put my hands in the air and demanded the vehicle stop. I shout and it keeps coming. I do the thing the officer told me and still it won’t stop. The distance closes by the second. Time seems to be creeping slower as nervousness sets in. What do I do if he won’t stop? The other guys are God-knows-where and my battery is about dead.Every cop in the world has been trained to recognize the car as a lethal weapon when it’s coming at you with no apparent attempt to stop. At some point, I realize the M-4 I’m carrying needs to come up and pointed towards the vehicle. Remember, this takes seconds. I pull the charging handle and let the round chamber to make the weapon ready to fire. I scream, “Stop! STOP! STOP!” The vehicle stops five feet from me. I’m huffing and puffing. I hear the ebb of trucks – the convoy has just gone passed. The tunnel vision I had at the onset left and there I was eyeball-to-eyeball with the vehicle and its occupants – a family. I don’t know if it was language, culture, or poor vision but for whatever I reason I hesitated and saved a family’s life and the convoy, in some weird way.

Here’s where it gets awkward. Over the years since then, few days go by where I don’t think about that family. I can see the husband, his wife, and children. I can see the frightened looks of the children. I remember the kafiyeh the husband wore and the piercing glance his wife gave him from her hijab as he suddenly stopped. I can hear the tires squeal. I remember the aroma of the diesel trucks as they passed me by. Most importantly, I remember my hesitation. I could have killed them. Why did I hesitate? When it matters will hesitate or react? Am I the warrior I always envisioned I’d be? Some days, these things are easier to answer than others.
Since that incident, several years later, I went on another deployment as a REMF and served two tours in Korea. I also worked as an armed community based security patrol officer in some of Tampa’s worst housing areas. Each job I’ve had since that day, I’ve encountered situations where that day was in the back of my mind. Admittedly, I’ve never had to raise my weapon in anger since then.
So here’s what I’ve learned since then and how I think my experience can help others in security:

1. No matter the gig, you should ALWAYS expect the bad guy to show up. It never fails. You’re told the job is easy. The threat is nonexistent. You feel safe. Then, BAM! The bad guy shows up. What do you do? Do you hesitate to respond? It’s not an easy question to answer but one you need to ask yourself daily. Don’t worry. You know the answer. We all do.
2. Have confidence in your ability to defeat the bad guy. During this deployment, many of us had derided the training we’d received to prepare for this deployment. None of us felt like we could do much against the bad guys with the training being as ambiguous as the training and the rules of engagement being equally confusing. Believe it or not, the psychology behind self-induced confusion and “fog of war” diminishes a great deal of confidence. Whatever you do to get ready for these situations, make sure it’s not only effective at mitigation through mechanics but gives you the confidence needed to make difficult decisions in a variety of scenarios.
3. Just because you don’t fire a gun in combat doesn’t mean there aren’t decisions you won’t wrestle with. Seriously, I didn’t kill anyone but the idea that I could have killed an “innocent” has followed me throughout my life. It doesn’t make me some sort of “seasoned vet” or anything. However, the questions I asked immediately afterwards, still remain.
4. There’s nothing wrong with hesitating when you can. Had I not waited, I could have killed that family or at the very least, created a major issue for everyone. Remember, Kuwait was an ally. I’d be lying if I told you I was thinking of the alliance. Sometimes, in security, we respond to situations not based on what we see or hear but what our rules of engagement allow us to get away with in the situation. I could have done far more damage, had I dealt with this differently. Don’t take too long to make up your mind but make sure you’re decisive and situationally aware.

I admit I could have done a lot of things differently that day. I could have insisted on better ROEs. I could have asked for another person to be with me. I could have made up my mind earlier what my “red line” was going to be. None of this would have meant I would have shot anyone but I can’t help but think I should have reacted sooner and more decisively. But you know what? The simple truth is – I did everything right.

OPINION: The Impact of Bias & Politics In Security

Originally, I wanted to make this an “open letter” to my fellow Americans about the current state of security. I was going to lecture us for engaging in pointless arguments and conjecture regarding where to place the blame for our security failings and who deserved credit for our success. However, this will not be an “open letter”, though; I will address these issues in this post. That’s right. I’m probably going to offend a few of you. Stick around because you’ll soon discover I’ll offend someone you don’t like. So let’s begin.

There seems to be an incessant desire to inject our personal political beliefs into how we view security. This used to occur only in the domain of national security. Here it was more acceptable, expected, and understandable than in others. In 2014, we saw a dramatic shift in this paradigm. The injection of politics has occurred throughout the spectra of security. Hacks on corporations have occurred in the name of political differences and responsibility assigned (accurately or inaccurately) based on them as well. Even areas thought immune to politics such as personnel security saw this as well. Discourse diluted to regurgitation of talking points. Experts emerged with little to any relative experience or extensive security knowledge but gained popularity because of which side they seemed to agree with. Accusations were cast as fact with little to corroborate them other than innuendo and insinuation from less-than-objective sources.

Today, the discussions of security have become little more than massive pep rallies and virtual lynch mobs. As professionals and practitioners, we rely on credible and objective evidence-based analysis to make informed decisions for our clients. Yet, the current discourse has been infected with vitriol and far-from-honest portrayals. In order to correct our course, we must examine what is occurring and how we can change.

1. What happened to having conversations? This is a question I find myself posing quite a bit on social media these days. The dialogues people are having with one another about things in security have been destructive, short on content, and full of conjecture. Twitter is the perfect place to watch this devolution. People shout and angrily dismiss opinions they don’t agree with, in an effort to assert expertise rather than collaborative learning. I don’t pretend to have all of the answers and so I use Twitter and other mediums as a means of learning more. Yet, so many people don’t want to learn. They’d rather spend their time proving you wrong rather than hearing your perspective. In certain cases, I get this. Some ideas are flatly wrong or just an attempt to “troll”. Therein lays our greatest weapon in bringing back sound intellectual discourse – choice. We can always choose to ignore opinions that are not in the interests of learning and sharing knowledge. Yet, we don’t but we need to.
2. We seem to like to state our bias but pretend as though it doesn’t matter. Facts are facts but our bias has a great deal of influence on our analysis of those facts. The worse offense we make is allowing our bias to form our opinions. On social media, I have seen a great many of profiles with biographies full of stated or implied bias. Not surprisingly, I find many of these accounts and their timelines to be absent of manipulated or inaccurate facts and vitriolic opinions. When challenged, these accounts retort how much they don’t care that influences them, how the “other side” does it too, and how the challenger’s facts are wrong or formed from the “mainstream media”. Miraculously, these accounts don’t see how this very analysis is influenced by theirs.We all have a bias. We can’t escape it nor should we. That being said, it is incumbent upon us to realize our bias and understand how it influences our analysis and our subsequent opinions. For example, if you don’t know anyone who owns a firearm and never touched a gun before but hold very anti-gun opinions after a friend was shot, it may be prudent to understand how your lack of exposure and the tragic event of losing a friend could have an impact on your opinions about guns. This doesn’t mean you’re wrong but it certainly pays dividends to understand.
3. The labels we give people have a tremendous impact on the level of discourse and engagement we seek to have. Come on. Let’s not pretend we don’t know what RWNJ (right wing nutjob), Libtard, Democraps, SJW (social justice warrior), gun nut, thug, un-patriotic, Obummer, and others mean. These are the “nice” labels. Have you ever had someone call you “stupid” after you articulate a point and thought you were going to be taken seriously? Have you ever called someone “stupid” after they made their initial point and expected them to take your argument seriously? No. That’s not how constructive discourse works. We use these labels in order to dismiss people’s arguments because we either fear taking them seriously or we don’t want to listen to them. In some cases, I get this. I do. I get trolled at times and I find it easy (though I resist) to troll back.
   
   If we’re truly interested in having meaningful discussions and want people to take us and our ideas seriously, perhaps we should drop the labels. Our forefathers often engaged in heated debates with another about various topics. However, they recognized their greatest vulnerability rested in their greatest weapon – their ability to compromise. Consensus and commitment can’t occur when you’re busy tearing people (instead of their bad arguments) down. By tearing down our neighbors, our enemies find new allies to defeat us. If there is one lesson we’ve learned this year, it’s that the insider can have the greatest impact.
4. Stop using tragedy to assert your political commentary. There are few things that rub me wrong than this. I have been on Twitter for little over three years and in that time; I have witnessed countless tragedies as they were happening. With each crisis, there are new experts vying for their voice to be heard among the ever-growing field. During the initial days of the Ferguson riots, I was called upon to give my opinions. It was an experience I will never forget and it gave me valuable insight into how politics with its own agenda shapes much of the dialogue in security. Good or bad, there are a host of issues which impact security and law enforcement which wouldn’t drive as much discussion if it were not for politics.
   That being said, I find a great many of “experts” use social media and the settings of tragic events as platforms to inject their personal political allegiance and ambitions in to their “objective” analysis of security issues. Nowhere has this been more apparent and to our detriment than in the recent spate of officer-involved-shootings. There are a host of instances where “experts” have used incomplete, manufactured, outdated, or demonstrative data from corollary events in an effort to support their biased and politically-based opinions. Nowhere but in our current media paradigm do we see and accept this so blindly.
5. In a world where events don’t matter unless they “go viral” or cause our clients embarrassment, it is strange how we ignore the impact this has on both how information is given and received and why. Even stranger is how we ignore how that happens. Today, you can’t visit a news story and not see a button to like or share the content with others. News organizations no longer make their money off of consumers but advertisers. Ads are custom-delivered to us based on our reactions to various news articles. Many times, we don’t see a story unless it’s “trending”. So if we’re only seeing things based on our reactions to them and it’s solely crafted in its current form to create an emotional response, then why ignore the influence this has on our discussions about these stories?

Perhaps, when we care more about how we receive and present information, we’ll make more informed decisions regarding the issues surrounding our industry. We may even see a high-return in a public that takes us more seriously and understands the mental acuity required to understand the threat, our risks, and vulnerabilities. When we get back to having meaningful and constructive discourse founded on information meant to inform and not persuade, we’ll do more than prattle about who should be our political party of choice.