Saturday, July 18, 2015

OPINION: Panic is the New Normal, America

The last few weeks have been an interesting time in the world of security. We've seen the death of nine innocent lives at the hand of Dylann Roof, seen the panic derived from the unfounded speculation at events like the Navy Yard active shooter scare, and most recently, our nation has suffered an unimaginable blow at the hands of a young man who killed four Marines. In all of this, our discourse with one another has gotten more combative and often, bordering on nonsensical. People are allowing mass hysteria to justify an enormous amount of gross speculation and outright lies and misconceptions about security and mitigation to infiltrate our discussions about the things which provide protection. At times, I have found myself engaged in some of these discussions to only find myself more frustrated and wary from addressing the problems of allowing this mass hysteria to grow at the rate it has. In fact, here, I'd like to address what are the problems and what are some possible solutions.

Lately, it seems like I constantly rehash my favorite topic - the semantics of security. If you're not familiar, I'll digress and explain briefly. I look at security as a mental construct we use to nullify our fears long enough to meet certain life-sustainment activities. In other words, security is nothing more than the things we do to "feel" safe. When we practice "security", we're addressing what we think the adversary will do. Ironically, we do this often without ever seeing the bad actors in action. That's right. We lock doors and windows, primarily, because we believe bad guys will be turned away from locked doors. Time and time, we do this under the assumption bad guys don't pick us to steal from because the doors are locked. What this never accounts for is the determined adversary. Who is this? Someone who gives not a single iota about that locked door, only that it may delay him from gaining entry. What protects us from the bad guy is really something called mitigation.

Basically, mitigation is about dampening the effects of an attack. It recognizes the threat is real and will come eventually. It looks at the complete threat profile and determines its capabilities, opportunities, and motivations. By doing so, we can implement a comprehensive mitigation strategy that not only detects the adversary but possibly, deter, delay, and destroys him. Earlier, I mentioned locked doors. They aren't bad. In fact, those "secure" entry-points are a part of mitigation because they aid in detection, deterrence, and delaying further infiltration. Most novice security practitioners are unaware locks and doors are rated based on their ability to delay penetration. So what does this have to do with our current discussions on security?

Most of your average citizens promote ideas about security based on things they think will work. As someone who has done this kind of work, how many people have you encountered that don't do it but swear they get security? How many of their ideas are lofty, unrealistic, unfeasible, unsustainable, and just pure wrong? Whenever I talked with people about securing the homes, a common statement was "I already have security - it's called a *insert dog breed, gun caliber, or pretend-military/MMA status*". These folks assumed whatever that one thing they had would be adequate to address one kind of threat using one or two vectors. Some would argue one or two of those things will cover most threats to them. That may be true but it neglects other viable threats which may possess other capabilities that aren't countered.

The fix, in part, lies in how we think of the threat. Take the military recruitment center shootings. Loads of people have been saying for the last 48 hours, we should send military police to secure these facilities. They claim these guards would possess the skills and equipment needed to neutralize the threat. What's strange is that most of these people are only considering one type of threat before we even have a confirmed motive from the FBI.

Most believe banks with guards don't get robbed because the posted guard at the bank has a gun. A secret among many bankrobbers is most aren't armed. Bank policy, as is widely known, is to give up whatever money is designated by the bank for robberies to the robber. The bad guys know this and many don't want to jeopardize more time in prison by getting caught with a gun AND the cash. So they opt for the note. The reason they don't hit banks with guards is because the guard has a gun AND radio. A saying I was always fond of when I did security as a civilian was "You may outrun me but you'll never run faster than my radio". What most miss in the discussions about MPs at recruitment centers is that most profiled jihadi active shooters FULLY expect the police and do so expecting to be shot. Remember this - the Dalton gang and others robbed a many of banks and trains that had armed guards. All in all, armed guards only turn away less determined adversaries.

This work, called risk management, requires us to analyze the threat for what is, what it can do, the damage a successful attack can cause, and our mitigation. In the current FUD (fear, uncertainty, and doubt) environment we're in, there's a tendency to deify the adversary to a point where they are seemingly omnipotent and omnipresent. One successful attack and we're suddenly unsafe and at danger of losing everything. What's crazy is that it never acknowledges the connection between the mental construct of "security" vs protection. Is it no wonder, then that after one successful attack, we assume the sky is falling? It's as if the sanctity of safety we constructed our actions has blinded us to what is real and imagined in security. Naturally, we assume we need to do more to "feel" safe rather than fix, eliminate, or upgrade our existing mitigation. Additionally, the loss of human life is unacceptable for any security setting. Having his enemy lose one life, regardless if the shooter lives or dies, is considered a victory for some shooters. Given our intolerance to having personnel killed, this is not wholly untrue.

There are a number of solutions to our current security crisis. Some are good. Some are very good. Some are faulty. Some are flat-out dangerous and wrong. These attacks will only increase, as will the speculation about future attacks, hoaxes, and troubling events. Even more certain is we have to continue having the difficult discussions we're having. Nothing gets solved by having discourse with people who always agree. Ultimately, the solutions don't rest with the victors of our collective shouting matches. They lie in how we understand the threat, the risk they pose, our mitigation, and how we define "safe".

About Us