Tuesday, October 7, 2014

OPINION: The Fine Art of Failing vs Mitigating in Security




Last week, I wrote a post regarding “security myths”. In that post, I was hesitant to be overly critical of the United States Secret Service’s response to recent intrusions. In the days following my article, there have been very illuminating leaks regarding exactly what happened that day. One revelation was the intruder actually made his way inside the White House. Before the leaks, I stated whatever the After Action Reports revealed; the entire incident was not a mission failure. I stand by that conclusion for a few of the reasons outlined below:




1. Mitigation is the goal of any security program. The idea that we, in security, prevent bad things from happening is a huge myth. You can lock your doors and windows to thwart bad guys but the only people who make the final determination whether the bad guys continue are the bad guys. We mistakenly believe security is a physical entity we can see, when in fact, it is a psychological construct designed to enable us to move on from our fears to do other important things vital to survival. What we seek is protection which is only achieved by mitigation. Mitigation is what we do to reduce the potential harm inflicted on us if the adversary should show up. So the lock does not prevent crimes but its presence gives us some sense of security, while it also mitigates potential threats that may come via the doors.

Prevention is perhaps the one thing we don’t control but assume we should. In the case of the Secret Service, yes, there were lapses in security. Uniformed personnel were obviously not able to sufficiently cover the grounds of the White House. They could have done more to secure the doors and should have posted someone able to engage a threat coming for the North Portico doors. Someone at Secret Service did on multiple occasions succumb to allowing convenience to overrule the imperatives of adequate mitigation. The White House staff and the United States Secret Service did fall for the psychological trap of security, instead of following a plan that guaranteed mitigation.

Feeling safe is not the same as being safe. That being said, various mitigation tools did work like the successful evacuation of the press and staff who were in danger. Also, an off-duty agent was successful in aiding in the apprehension of the subject. It’s important to note the Secret Service’s mission is to protect the President and Vice President as well as all principles designated by law. In short, with no loss of life, this mission was accomplished solely because other mitigation tools had a chance to do what they were designed to do. It was a mess and it certainly does not reflect well on the Secret Service.

2. Prevention as a security goal and task are unrealistic. An old adage I remember from my days in the Air Force is “the enemy gets a vote”. No matter how good your plan is or how great your mitigation tools and techniques are, nothing you do will prevent the enemy from doing anything except killing him. Detention is, at best, only guaranteed to delay their actions. In fact, the only reason I believe the saying “Only you can prevent forest fires” is because I always thought Smokey the Bear was talking to potential perpetrators of forest fires and not victims. So why do we insist on believing prevention is realistic, if we’re solely addressing victims? What most people want are more effective mitigation tools but assume the semantics mean the same when they don’t.

3. Every security organization is bound by the use of force continuum. Some argue the Secret Service should have killed the subject immediately. Many of these people ignore Graham vs Connor which dictates the level of force an officer can use against any subject. That standard is called the “objective reasonableness standard”. This comes from the idea an officer can use whatever force is necessary to stop any threat as long as that force is comparable to what a reasonable officer would deploy in similar circumstances. Would a reasonable officer shoot a potentially unarmed man just because he committed a trespass violation? Imagine the precedence we could set by implying under certain circumstances it is reasonable to kill someone for seemingly minor offenses. Does a simple trespass have the potential to be more at the White House? Oh, for sure. Until a person displays a lethal “intent, opportunity, and capability” against another, we are bound to use the force a reasonable officer would to stop the threat. Otherwise, we stand the chance of the White House become a favorite spot for those looking to die via “suicide by cop” or placing the White House and its security at the center of a potential tragedy.If these statements make you upset, then I implore you to read what I said again. I never said deadly force was not authorized. It is. Deadly force can be used as soon as the threat meets those three criteria I established prior.

4. Like it or not, the White House is a tourist attraction and that complicates things greatly. Did you know the White House receives millions of visitors annually? This accounts for those who merely gaze through the fence and those who come to take a tour. In partnership with the Park Service, the United States Secret Service is tasked with protecting the White House in spite of the enormous opportunity various threats have to carry out an attack either against the throng of tourists or the President. In most executive protection assignments, the principles address is a matter of neither public record nor access. The Secret Service is in the unenviable position of protecting the President in a vastly different environment. Measures we’d like to see taken in one regard (i.e. fortifications) which help mitigate the visibility of the grounds and the principles are often not what the public envisions when they come to see their “house”.

5. In some executive protection circles, if not most, there is a delicate balance between protection and convenience. Most people who have never worked an executive protection detail don’t get how often the people protecting dignitaries are overridden when it comes to matters of convenience. I have known a many of personal protection officers who have complained they have been told to “stay with the car” when a VIP goes some place where his protection details has no visibility. 

With the White House incident, we learned a key mitigation tool was rendered ineffective because the White House Usher’s Office decided the intrusion notification system was too loud and needed to be turned off. In a world where one sees protection and is lulled into feeling “safe”, this is an easy mistake to make. It never costs you in the short-term. It won’t hurt today but you can bet when the adversary shows up, you’ll wish you had that mitigation tool in place. Is this a fault of the Secret Service? Sure, in some ways. They could have pressed the issue and said “no”. They, not the Usher, are legally mandated to protect the President. If that tool aids them in doing so, then the tool stays. Period. Is there a culture in Secret Service that enables this? I don’t know. What I can tell you is there is a culture in DC and the White House that does. Hopefully, the hearings which are going on will further highlight the need to silence the parts of that culture that negate sound protection practices.

6. Finally, stuff just happens. During my 14 years in this industry, I spent 10 in the service of the United States Air Forces in military law enforcement and security. My first few years were spent as a young Airman performing what is commonly termed as “gate guard” duties. I stood at the main gate of our installation controlling entry and exit. I was also responsible for issuing countless visitor passes. I was really good at my job. So good that I was winning awards and accolades above my peers. However, on one fateful day, I encountered something no one expected.

A female Technical Sergeant and her male guest came to the visitors’ center looking to get a visitor pass. All that was required at the time was a military ID card from her and a government issued ID from him. I checked his ID which was a passport and noted all of the details had matched. Our conversation was good and I detected nothing extremely peculiar. Actually, I did note something but I was stationed in Idaho so it was not a big deal at the time. Her guest asked if he could bring his personal weapon on the base. I told him he could not and asked if he had the weapon. He replied he hadn’t and she reassured me he hadn’t one. The question seemed one of mere curiosity in an attempt to make “small talk”. I had done everything I could do at that moment.

It was not until two days later was I approached by our investigators and several federal agents informing me several tactical vehicles were coming to apprehend him for being a fugitive – he had killed several people and almost killed a police officer. I was crushed. How could this happen? Should I have asked more questions? Would they blame me?

Years later, still torn by this, I asked a mentor who informed me I had done nothing wrong and in fact did everything right. Despite my best efforts, the adversary won. This is an unfortunate but inherent ingredient of protection. No matter what you do, the enemy will still do what he does and it is your job to prepare for that and win.

Monday, October 6, 2014

VIDEO: Microsoft CSO, Mike Howard, Talks The Benefits Of ASIS Members




This video is a bit dated (recorded in January) but what Mr. Howard says here is absolutely correct. I can attest to this, firsthand. You could say this blog wouldn’t be here for you to read, had I not discovered the American Society for Industrial Security, International. Approximately 10 years ago, I joined ASIS seeking out people who were motivated like me and who enjoyed doing physical security. I thought the people I would meet would be, at best, middle management security guys/gals. Was I surprised! I met folks from all over security and was involved in doing things like volunteer site surveys which my chapter did for a nature reserve looking to upgrade their security. This was way above my pay grade, you can say. Exposure to activities like this and the people ASIS has in its ranks, motivated me to start this blog, in an effort to educate my troops and the general public about security. The rest is history. I HIGHLY recommend you to consider joining ASIS immediately.

Monday, September 22, 2014

OPINION: Top Eleven Myths Supporting Security Critiques



Well, this seems to be the season for "major" security breaches.  There seems to never be a week in the last few months some retailer or government entity isn't revealing how it's been penetrated. Along with those revelations comes the torrent of critics who ask "How could this happen?" and proclaim "This is the worst thing ever!....Incompetence!....This is epic!" Please, note the heavy amount of snark and sarcasm there. As one of a few people who sort of gets security, I often find myself getting increasingly frustrated about the growing number of amateur critics who have in some way implied "expertise" on a topic few professionals in the industry actually get. So in an effort to educate everyone and to vent (okay, mostly to vent), I've decided to do a piece on the myths surrounding security. Bear with me. If it feels like I've kicked you in your stomach, good - that's why I'm doing it.
  1. Physical security is easy. Sigh. This is the most upsetting and doggone frustrating statement a security professional could hear. Contrary to popular belief, security is not easy. It's pretty hard, actually. There's a lot more that goes into security than just bag searches, menacing guards, cameras, and alarms. It encompasses multiple disciplines which contribute to the security mission. They range from everything from the information security to operations security to risk management to executive protection to physical security to personnel security to personal security. All of them bring something unique to the table. Each is an integral part of the total security package. It takes a professional versed in all of them to be able to deploy the package seamlessly.
  2. Anyone can do security. Ugh. Wait, no. Double - ugh!! Not everyone can "do" security. As I stated before, it's hard. It's not rocket science but if the only thing you've ever protected in your life was a bike in a bad neighborhood, you may not be as qualified as you think to speak expertly on matters such as the security surrounding rather complex and sensitive facilities as the White House or military bases. I know I just made a lot of folks in the DC press conglomerate very unhappy. So let me explain. You can have all of the facts on an issue but still not get the nuances behind how to properly execute an effective security plan or understand the stark realities those facilities face. As a matter of fact, there are people in the job who barely get some of these concepts which explains why so many security plans fail.

    I've been in this industry for 14 years and there are things I'm learning every day. I am no "expert" and I often eschew any effort to attribute me to that title. It is also my suggestion, given my background, if I admit to knowing far less than most "experts" with less experience are willing to, then maybe you should be questioning their "expertise" as well. Think you can "do" security? I'd happily place you in charge of physical security at the White House which receives MILLIONS of visitors every year and hosts the most targeted human being on the face of planet Earth. Good luck.
  3. There's entirely too much security for this. Another sigh. Seriously, folks. Unless you've walked in the shoes of the person who designed the security apparatus for that facility or worked in a similar post, you may not understand the thought-process behind how security is set-up there. In order to better educate most folks who are not familiar on this topic, I'll take a moment to digress and speak on the mission of security and how it is often set-up.

    Security's primary mission, no matter the discipline, is pretty much the same minus some semantics. It is to detect, deter, delay, and destroy. There are professionals who will undoubtedly find issue with my choice of words here. My message to them is clear - I get it but let's think more figuratively. While it is optimal in security to see the threat before he arrives, that may not always be the case. In fact, there is very little empirical data to suggest much of what is done in physical security actually deters the truly dangerous threat. However, what is quantifiable is delaying and subsequently disrupting or destroying the threat's ability to continue their actions.


    A great example of classic defense-in-depth

    Finally, let's examine what drives most security plans. Much earlier, in another post, I wrote extensively about risk management which is a process by which security professionals and their stakeholders ascertain the level of risk they're able to maintain and the mitigators they plan to deploy minimize the risk.  As you can imagine, this process is what most security plans are derived from. Within those plans, therein lies the basic outline of how most modern security is implemented - defense-in-depth. This is best explained by asking you to imagine an onion. As you peel the skin on any onion, you'll note the various layers contained. Security is much like that. Every protected resource has an outer layer of protection which supports the inner layers. The close you get to the resource, the more intimate the security. Imagine the White House. The far most outer layer of security there could be the scores of CCTV systems found all over the DC area. From there, the security mechanics become more intimate with their resource. Stop laughing. I hear the jokes. Serious. Stop it. The inner layers encompass a new level of protection more closer to the resource than the next. See, I cleaned it up for you.
  4. The security guys just need to do a better job. Really? Like seriously. What qualifies you to make statements like that? Have you examined the actual, no-kidding threat intelligence or data to understand the nature of the adversaries those "security guys" may face or the countless attacks which get thwarted. A great example of this is a conversation I had recently with a political website editor regarding how the United States Secret Service would be better served by doing a "better job of managing its fence" rather than deploying checkpoints further from the ones already at the gates closest to the White House. I strongly disagreed not because I love checkpoints (I don't - see my thoughts on crowds) but because I understand (because I've actually done executive protection and physical security versus offering critiques about something I only read about) what drove the US Secret Service to acknowledge they were considering checkpoints. You would be remiss as a professional not to consider them as an option. I think we would all do a lot better to understand the difference between a consideration and an implementation.
  5. I have a PhD so I have the magic ability to know all things related to security, though, my PhD is in an unrelated field or I've written books non-security professionals think is dope. I won't waste a lot of time and space on this but this is a growing issue throughout social media. Stop it. There are few things more irritating than to be dismissed by an academic or author who thinks their degree or books written provide them with omnipotent ability to know everything they need in order to criticize security. As I've stated before, you're probably extremely smart in your area of expertise. This does not lend itself to transference into what I've done for 14 years. Sorry. But that's the truth. Again, I don't know a whole lot and there are guys in my field who are far more impressive than me. That being said, read this and #2.

  6. You say tomato and I say TOH-MAH-TO. Same difference. No, it's not the same. In security, certain terms do matter. They really do. For example, I had a very good conversation with a national security pundit I follow on Twitter, Joshua Foust. Joshua is smart when it comes to matters of national security and almost ties John Schindler in trolls except Joshua doesn't have a parody account yet and his and John's tweets are thought-provoking.  That being said, our discussion this morning was about the efficacy of passport revocations. Joshua intimated revocations made jihadi terrorists stateless people. I find that most people confuse revocation of passports with revocation of citizenship. The two sound the same but are vastly different both in mechanics and impact. However, because they sound the same they are often confused. We saw this when Snowden's passport was revoked. People claimed he had been stripped of his citizenship, although he never formally renounced his citizenship nor did Congress or the President revoke it. In fact, the passport revocation is nothing more than a travel restriction. You're allowed to travel to other countries as long as your country provides you with a valid passport. If your country revokes your passport, you're no longer able to travel and can only come back to your home country.

    Joshua would later admit the semantics were different and we both agreed there were mechanisms already in place with respect to fugitive warrants and the Foreign Terrorist Organization designation. Neither, from my limited knowledge, have been integrated when it comes to jihadi foreign fighters. Something, I'm sure the President and other leaders are seeking to change because the inherent value of Western foreign fighters for groups like the Islamic State is their passports. Western travel documents can gain you access to a variety of countries, if they're not revoked or cancelled.
  7. I could take down security anywhere and I could break in there if I wanted to. Okay, that sounds very cool. I'm sure you could. However, taking down an unarmed security guard because he's 75 years old with a bad limp is vastly different than being faster than his radio and being tougher than the eight burly deputies who will respond. You might also be able to break into a facility. That's also great and amazing. However, keep this in mind - sometimes breaking into a facility has more to do with luck rather than skill or technical acumen - remember one of the latest White House fence-jumpers was a toddler. In other words, the sun shines on a dog's rear every now and then. You also may not be as lucky as you think.

  8. OMG, this breach was the worst breach EVER!! Stop. Full-stop. Don't move. Breaches happen all over physical security for a variety of reasons. Some are preventable, sure. Some are not. Some occur in ways professionals never thought of. Some occur because the security manager and his/her stakeholders accepted too much risk. All I ask is that before you roll up a physical security breach as the worst ever, analyze not only the breach but the totality of circumstances. Some people are making a big deal about the recent White House fence-jumper who made his way "into the White House". I'll take a moment and explain why this is wrong.

    Yes, the White House fence-jumper recently made his way to an inner layer of the mansion. Keep in mind what I said about layers. Here's something most critics won't acknowledge mostly out of ignorance. The doors, which I have pictured below, are actually an entrapment area. Wait. What? Yes, the North Portico doors are indeed an entrapment area. What does that mean? Simply put, the exterior doors remain unlocked so exterior personnel (security and non-security) can enter through them and gain access through the second set of doors which remain locked and more than likely, guarded by on-duty US Secret Service Uniformed Division personnel. In other words, someone or something would need to verify your credentials before allowing entrance into the interior.


    The diagram of the White House showing the doors.


    The North Portico doors UNLOCKED. But do you see the doors behind them?


    Scriven, how does this change the fact that he should have never gotten that close? It doesn't. However, it's always best to remember while this is the first time someone has made it to those doors, there have been other more egregious breaches. Thirty-three others, to be exact. Remember when the airplane crashed in the White House lawn? I digress. Did the USSS accept too much risk by keeping the doors unlocked? Sure, but I'm also aware these doors were probably unlocked more for convenience for certain non-USSS personnel. How do I know that? Because I've done something similar in a variety of security situations. So what does this little exercise tell us? First, it tells you I have entirely too much time on my hands and I spend a lot of time on Twitter. Second, it tell tells you exactly why layers exist and whether they function properly. In this case, a few layers were breached but the resource was secured by one. Third, a lot of people are making wild assumptions without having read the official report nor has there been an accurate articulation from which direction the jumper entered or whether he had been observed (my guess is he was). Also, some of these same people make all kinds of weird guesses about the nature of security at the White House based on rumor and what television and the movies convey. No, the President will not firing an RPG at multiple jumpers next time.

    Finally, it teaches us the value of relativity and complexity - this was bad but was it the worst? It's all relative. Seriously, can you imagine managing the security of POTUS and his/her staff and guests AND the most iconic tourist attraction in the Western world? It poses some SERIOUS security challenges which are countered every single day, mostly with zero incidents. If this was the "worst", then the Secret Service did an excellent job of containing the threat.

  9. Security is pretty simple. I can't even.
  10. The Israelis do it better.

About Us