Originally published in IRConcepts Newsletter in Winter 2005.
Security issues have risen to the top of every major corporation’s priority list. The magnitude and complexity of the issues, particularly for a global enterprise, can be enormously challenging. Obtaining, integrating, and communicating reliable and useful information; developing effective strategies and processes to assess risks and protect the business and its employees; and coordinating with government agencies at all levels are of paramount importance. It is also critically important that corporate leaders have a forum to identify and share effective practices on a broad range of security issues.
These are some of the reasons that prompted the effort to establish the National Employer Security Network (NESNet) as an ongoing peer discussion group of people working with these knotty issues. IRC contracted with ORC to pursue this idea because ORC seemed well-positioned to manage the effort. First, three earlier meetings, two in partnership with the Brookings Institution and one with a select group of major employers in the ORC Washington office, demonstrated the potential value of establishing a network that would address a wide range of employer security matters. Second, ORC’s OSH Practice serves as an excellent model for this new initiative. Like ORC’s OSH Group, it was thought that NESNet would strive to develop an ongoing, cooperative, and proactive relationship with a major government agency, in this case the Department of Homeland Security (DHS), encouraging the exchange of information between company managers from a broad range of industries and those developing policy and regulations in Washington. Additionally, the network was to provide a framework for the examination and development of “best practices” in use and being developed by member companies in response to both regulatory and business enterprise concerns.
NESNet activities would encompass security issues in the broad sense with the traditional ORC interdisciplinary response—a holistic approach both from the perspective of the issues addressed and the broad range of those in the employer community who must respond. In short order, we expected this network to grow into an influential and effective player in the national security arena.
Efforts to Create the Group
The first NESNet conference, held on July 21-22, 2004, was at the center of the effort to create the group. The potential members invited to participate in the event were drawn from the following existing ORC networks:
- Occupational Safety and Health Group
- Western Occupational Safety and Health Group
- All Senior Human Resources Executives Networks
- Workplace Opportunity Network
- Employment Law and Litigation Group
- Invitations were also sent to all private-sector employers previously invited to the
- Brookings Seminars that ORC had sponsored.
In the process of creating the network and organizing the conference, ORC encountered some significant difficulties. First, despite ORC’s experience in facilitating employer networks, there is no expertise currently within ORC in the area of security. The Department of Homeland Security and its agency counterparts have shown to be largely unresponsive to those who do not already have some contacts within the agencies. Despite DHS’ alleged efforts to improve interchange with private industry, efforts to find officials who were willing to address and work with this network were very difficult to contact. (Even those ORC had already identified in DHS did not seem to feel their role included providing liaison with a multi-industry group.) Identifying useful contacts and speakers in other security-related organizations was even more difficult without having previous contacts and experience in law enforcement, intelligence, or defense.
In order to resolve this problem, ORC sought to collaborate with people more knowledgeable in these areas. ORC’s initial attempt was to work with the Oak Ridge Institute for Science and Education’s National Security Program (NSP), headed by an ORC contact who was formerly a senior official on the National Security Council staff at the White House. The NSP staff included persons who had substantive experience in military and civilian intelligence, counterterrorism, law enforcement, weapons, and national security operations. The staff had had considerable experience in planning for the protection of U.S. nuclear facilities and in security for defense operations such as Desert Storm. As a consulting group themselves, NSP had clients including Department of Homeland Security, Department of Energy, Federal Bureau of Investigation, and Department of Defense. Initially, NSP was very interested in participating. While they had numerous government contacts, they had little contact with private industry and were excited about the prospect of expanding business opportunities in that arena.
ORC had several discussions with NSP concerning the type of information and discussions ORC members would be looking for, and assisted in the preparation of a detailed agenda. ORC believed the agenda reflected a sound mix of government, non-governmental, and NSP staff expertise, and provided a good basis for launching the attendees’ discussions regarding NESNet’s future activities.
Second, despite the extensive efforts ORC had made to identify and market the first meeting, only a disappointing 15 participants actually registered for it. This may have been due to the timing (second half of July) and vacation issues. Also, as there was no charge for attendance at this meeting, many of those who said they intended to participate during ORC’s initial inquiries concerning their interest felt free to cancel or simply failed to appear at the last minute.
Learnings from the NESNet Meeting Speakers
The first speakers provided information on the nature of the threats facing both the U.S. as a nation and industry sectors. Lt. Col. (Ret.) Dolamore, Director of Operations and Analysis for UK firm, Hazard Management Solutions, described the greatest threat to the U.S. as coming from the Al Qaeda umbrella organization for a number of terrorist groups having their roots in the Middle East, Africa (especially North Africa), and the Asia-Pacific regions. He provided information on literally thousands of incidents and threats that extend over more than a decade, and provided information about recent plots that had been detected or interdicted since September 2001. Although many of the attacks have been against U.S. embassies and military targets of the U.S. and other nations, an increasing number have been directed at business operations such as airlines and mass transport, shipping, oil and gas pipelines and facilities, and commercial businesses (especially in the hotel and leisure industry).
Dolamore discussed past and continuing threats toward industry and infrastructure such as bridges and roads, water supplies, power stations and distribution systems, communications, and the oil and gas industries. He also summarized the current techniques being used by Al Qaeda.
Among the points made by Col. Dolamore is that terrorism in the U.S. did not end with the World Trade Center and Pentagon incidents in 2001 and that we should expect more to occur, especially in multiple locations at one time. In addition, attacks at facilities associated with the U.S. and its allies will continue. As Al Qaeda’s goal with the attacks is to cause as much disruption and economic loss as possible, threat assessment, damage limitation, and contingency planning are essential to minimize loss.
Speakers from the U.S. Department of Homeland Security (DHS), James T. Faust, Director, Information Analysis Liaison, Directorate of Information Analysis and Infrastructure Protection, and Paul Speller, Senior Intelligence Analyst, Strategic Intelligence Division, Directorate of Information Analysis and Infrastructure Protection, provided an overview of DHS’s approach to intelligence gathering and analysis as well as an overview assessment of the current threats to U.S. infrastructure.
DHS approaches intelligence in several ways, including Regional, Organizations, Technology, and Infrastructure. DHS believes that Al Qaeda has done a lot of planning and that there are still numerous plans for attack that have not been implemented due to the U.S. attack on Afghanistan and the ending of Al Qaeda’s safe haven. DHS has uncovered some of those plans, but believes there are others that remain unknown. Of concern is that since the attacks on Madrid, Al Qaeda believes they are now able to affect the democratic process. With regard to cyber terrorism, there have only been low-level attacks from terrorist organizations; however, this remains a credible threat as there are numerous hackers in the world who can be bought. U.S. nuclear facilities are not considered to be vulnerable; they are well protected and would-be attackers would likely be caught. Finally, DHS believes that currently there are no remote piloted vehicles (RPV) or Man Portable Air Defense Systems (MANPAD) in the hands of terrorists in the U.S.
Turning to industry and infrastructure threat assessment, the following is a brief listing of the issues and what is known:
Oil & Gas Industry
- Terrorists have the capability to launch attacks
- This is one of the most highly threatened industries
- Oil has symbolic value in addition to commodity value
- Prior to recent U.S. blackout, Al Qaeda didn’t think it was feasible to disrupt the U.S. electrical infrastructure
- In Iraq, insurgents are attacking electrical infrastructure
- There has been a lot of rhetoric about damaging U.S. financial interests
- To Al Qaeda, the World Trade Center was the #1 symbol of the American economy
National Monuments & Icons
- Difficulty in assessing this threat
- There has been “chatter” about destroying American “idols” … possibly the Statue of Liberty
- Defense Industrial Base
- Not much “chatter” about attacking
- Not rated as any greater threat
- Lots of hackers
- Hackers can be bought
- There haven’t been many threats to communications. This may be due to the fact that most of the countries that terrorist come from have poor communications anyway, thus communications disruption isn’t regarded as special.
- DHS hasn’t detected intent to attack chemical infrastructure itself, but there is a drive to accomplish a chemical-related attack
- Hallmark method for terrorist
- This industry is always vulnerable
- MANPAD (Missile Launchers)
- Al Qaeda has trained with Stinger Missiles
- Plane in Baghdad was hit by a shoulder-fired missile that can’t blow up a plane, but can surely cause serious damage
- There has been some interest by Al Qaeda
- There is evidence of surveillance
- Hydroelectric dam in Afghanistan was attacked
- Al Qaeda are capable
- No incidents reported in U.S.
- Never has been one and there isn’t much evidence of planning for an attack on a cruise line
- No terrorist incidents have been reported
- There is some evidence that ships going to U.S. could be carrying terrorists or barrels with bombs in them
Heavy Vehicle Attacks
- The technique has been used
Surface Passenger Carriers Attacks
- These are highly likely targets
Tunnels & Bridges Attacks
- Prominent subject in reported “chatter”
- There have been foiled plots in the U.S.
- Great deal of concern
- Chlorine tanker trucks are a big concern
Speller concluded that, with few exceptions, capabilities exist to successfully attack most classes of targets, that evidence of actual intentions to attack is limited, but intentions can change relatively quickly, and that Al Qaeda is known to emphasize pre-operational surveillance; thus would-be attackers can be discouraged to some extent by frequent changes to security procedures so that they do not become predictable.
Following the presentations and discussions of the nature of the threat as seen from both U.S. and non-U.S. perspectives, R. James Caverly, Director of the Infrastructure Coordination Division, Information Analysis and Infrastructure Protection Directorate, Department of Homeland Security, discussed how the U.S. government (through DHS) is organizing and planning for the protection of critical infrastructure. The Information Analysis and Infrastructure Protection (IAIP) Directorate is one of the four main pillars of DHS activity. (The others are Science and Technology, Border and Transportation Security, and Emergency Preparedness and Response.) The key tasks of the IAIP are to:
- Conduct threat assessments
- Identify critical infrastructures and key assets
- Map threats to vulnerabilities and consequences
- Conduct risk assessments
- Detect, identify, and advise of threats
- Share security information (vertically/ horizontally)
- Recommend and prioritize protective and support measures
- Conduct and integrate national-level critical infrastructure and key asset protection planning
- Assist emergency preparedness
Caverly’s division in IAIP is responsible for building relationships between government and the private sector for the purpose of gathering and sharing information. He went on to point out that the majority of the critical U.S. infrastructure is owned by the private sector and, therefore, a strong private-public partnership is essential to drive protection activities. Private-sector responsibilities under this partnership include: identification of the assets that comprise our critical infrastructure; collaboration in the implementation of protective measures in times of high threat to the critical infrastructure; and communica-tion with the government to report changes in threat environment, success of protection programs, and gaps in protective activities. Government’s responsibilities include: sharing of information relevant to the protection of critical assets; enabling the implementation of (and providing) protective measures; evaluating metrics and measures of their effectiveness; assisting in developing methodologies, tools, and programs to enable identification and protection activities; and advocating effective measures to be undertaken by the private sector.
The meeting program next shifted from the mode of “understanding the threat” to practical preparations. Daryl Maddox, Senior Operations Planner, Oak Ridge Associated Universities, discussed two of the program initiatives that have emerged from the DHS Protective Security Division: Site Assistance Visits (SAV) and Buffer Zone Protection Plans (BZPP). These initiatives are directed toward high value, critical infrastructure targets across the U.S.
An SAV’s focus is on the facility inside the fence line and is designed to identify critical assets, interdependencies, and vulnerabilities. An SAV also evaluates mitigating strategies, such as physical security, operational security, and blast effects. A BZPP focuses on the facility and off site critical assets, identifying interdependencies, avenues of approach, and surveillance opportunities. Mitigating strategies include coordinated protective measures and training and equipment requirements.
Industries are selected for “critical infrastructure status” from an initial list provided by each state, which originally included more than 35,000 critical assets but has since been refined. When DHS identifies a critical infrastructure or key asset, its Protective Security Division coordinates with the DHS state representative, who recommends sites. The team preparing a BZPP is comprised of military assaulters, Special Forces, explosive ordnance disposal experts, and sometimes someone from operations as well as someone who knows the industry and the inner workings of the facilities. There is funding in DHS for approximately $50,000 per site, to be used for purchasing equipment.
Five of Oak Ridge Associated Universities’ National Security Program staff provided practical information for those responsible for improving their companies’ security and emergency response plans. Jeffrey B. Schultz, Group Manager, Operations and Training Group, conducted a workshop aimed at understanding how to improve employer site security plans.
Lester Hazen, Group Manager, Operations and Training Group, discussed sources of information available to help employers understand security threats and to plan for preventing or responding to attacks. The sources include those sponsored by the U.S. government, private industry, and foreign governments. (See Sidebar.)
Hazen stated that there is plenty of “white noise” during a crisis. The security manager must recognize the phenomenon and establish “filters” that enable him/her to discern critical nuggets of information that increase situation awareness rather than confuse it. One technique is to involve trusted subordinates (those competent in screening out the “white noise”) in the review of information before making the information available to the decision maker. However, reliable sources of information regarding training for the private industry can be difficult to find. (Most are directed toward state and local government first responders.) The resources and expertise are available in the form of private companies offering the services, but significant work in necessary to find and contract for the appropriate resources.
Finally, Harry Anderson (Andy) Page, Director, ORISE/NSP, and Casey Ateah, Senior Operations Planner discussed table top exercises (TTX). A TTX is a facilitated analysis of a scripted scenario in an informal, stress-free environment. It is designed to elicit constructive discussion as participants examine and resolve problems based on existing operational plans and identify where those plans need to be refined. The success of the exercise is largely determined by group participation in the identification of problem areas. Ateah stressed the importance of having a facilitator at the TTX, someone who knows the audience, industry, and key players. For a TTX to have impact, the participants must be the company’s decision makers.
Participant Response to the Meeting
At various points throughout the meeting and at a final wrap-up session, participants identified areas of concern and noted where they saw the need to get more information for themselves and their companies.
With regard to infrastructure protection, participants were pleased to note that more thought is being given to prevention rather than to the traditional area of response. However, there is still concern about response and recovery. Industries do not possess the knowledge of how to react to a chemical, biological, radiological, or nuclear (CBRN) attack on or near a facility. For example, do training resources exist for CBRN impact, response, and recovery that are available to private industry?
Another participant asked how companies can determine whether they are considered critical infrastructure and whether they are on the DHS Buffer Zone/Site Assist Visit list. It was suggested that companies contact their state DHS representative.
Besides the issue of prevention, business resumption planning was a resounding theme during the round table discussion. A case in point was the Northeast blackout of 2003, which had a huge ripple effect. Information for developing resumption plans is needed.
Another major point of discussion was protecting confidential business information. It seems that some are more confident in providing critical infrastructure information to DHS than to local authorities, such as county commissioners. It was suggested that if a company is going to be engaged in a BZPP or SAV, the protocol for protecting infrastructure information is to ask for CII protection. This will protect companies against disclosures under the Freedom of Information Act.
Another dilemma that was raised concerned convincing company managers that domestic security improvements are necessary. Upper management does not see the cost benefit in implementing a heightened security posture for a threat that does not seem apparent. Security managers must have the information and tools necessary to convince their managers that increased security is worth the cost. Therefore, when the government provides poor threat intelligence, it makes it that much more difficult to convince management. (Some strategies for dealing with this problem were discussed in the sources of security and threat information presentation.)
During the wrap-up session, the group discussion was guided to address what went on during the conference, whether expectations were met, and the future of NESNet. Attendees felt that Oak Ridge Associated Universities did a good job of presenting resources beneficial to security managers and felt that the company’s expertise would be a benefit in the future.
To the question of the benefit of NESNet, one attendee felt that the group now had a better understanding of DHS and its intentions. There is also a better grasp of what resources are available and how to apply them to industry. However, his focus is primarily on crisis preparedness and response, and business continuity. Although he appreciates the DHS concepts of prevention, the participant would like to see what happens after a major attack. He has more faith in local response, at least in the near term, than DHS. He would like to know how to get cost-effective capabilities to respond as a company to a crisis.
Another attendee felt that DHS is still a relative unknown. Both industry and DHS must continue to foster the relationship. He would like to continue to hear from DHS but would also like NESNet to be a source of input of industry issues into DHS.
Participants also wanted to hear from other DHS components in addition to IAIP. What else does DHS have to offer? Hearing how other industries are handling their security issues would be beneficial. Although the issue of sensitive corporate information exists, there are ways of discussing security measures without breaching security-sensitive information. Companies like ORC and ORAU could facilitate communication among different industries and among industry and government. As it stands now, there is not enough cross-industry sharing, and DHS appears too compartmentalized. Are those in DHS responsible for the infrastructure sectors communicating? Is oil and gas communicating with finance? Are the Joint Terrorism Task Forces communicating with DHS?
The issue of DHS Information Sharing and Analysis Centers (ISAC) was discussed. Most were concerned that the ISACs do not share information very well. Some attendees have had no communication with their ISAC. There is a sentiment the DHS considers ISACs to be the “be-all and end-all” of information sharing. A suggestion was made that DHS could have a private industry meeting concerning ISACs to help determine how companies might fit into their respective ISACs.
ORC representatives asked what might be the best venue for continued DHS dialogue, and what services NESNet participants would like to have provided between these sessions. Responders said that meetings like NESNet are most likely the best venue. Tracking of security legislation, coordinating member response and advocacy, and identification of best practices were areas where ORC NESNet would be helpful.
Lessons from the Effort
While the need to collaborate with persons of known expertise in security will continue to be a “must” for any on-going NESNet effort, it is also a must that the ORC senior staff representative assigned to this effort develop a more detailed understanding of security issues and partner with a reliable mentor. This type of knowledge is essential if ORC is to be able to find and attract the right type of speakers, prepare meaningful agendas, and adequately respond to client needs and concerns.
The field of homeland security is very broad and knowledge is needed to find the way to persons and organizations that can contribute to industry’s understanding of enterprise risk and efforts to reduce risk. With all of its expertise in security matters, for example, a group such as the NSP was largely unfamiliar with the types of concerns that the employer representatives had regarding employee security and safety issues, business continuity and “brand” concerns, and liability.
The attendees also felt that much of the initial presentation on developing site security plans was too elementary for their needs, while the government speakers focused on DHS activities that did not address the issues of how businesses not involved in the government’s activities with what are considered “critical infrastructure” industries—or could be represented in more than one of the 13 critical sectors—could get a better understanding of what was going on in government and what could be expected of their companies.
The NSP staff was largely unfamiliar with the organization of the ISACs established by DHS, whom DHS actually interfaces with in this information sharing activity, and what to do (whom to contact) if you are not affiliated with the industry group that DHS interfaces with. There is also an issue with the ISACs being “silos” that don’t consider or share with the other ISACs when there are regulations or guidance being developed for actions industry will be required to undertake. This seems to be a key area where ORC could help facilitate information sharing and dissemination.
Finding the correct organization or group of individuals to partner with ORC is also essential. The issue of homeland security is very broad and ORC’s partners will have to be persons who can relate to the issues of interest to the members of NESNet. NSP will be the first to agree that they were not staffed to respond to many of the issues the attendees raised. Even their contacts within DHS were not sufficient to help ORC develop the type of working relationship with the Department staff that ORC is seeking to build. While NSP wants to work with industry, their primary interest is in being hired to facilitate table-top exercises, conduct security analyses, and develop buffer zone protection plans at individual sites, not necessarily to understand or affect government policy or to help in cross-industry identification and sharing of safety and security management practices.
Despite the problems encountered in the process of initiating NESNet and the general uncertainty on how to proceed with the effort, the inaugural meeting demonstrated the existence of significant interest among persons in various positions in industry in understanding and discussing homeland security issues affecting business. There is a definite need for further development of NESNet, but it is not possible for ORC to continue without securing additional staffing and partnership resources.