"A State of Normalcy"
February 2004
In this new risk management column, the changing
perceptions regarding security issues affecting both business and person aspects
of Americans' lives after September 11, 2001, are examined, along with the costs
associated with being secure.
by David
W. Nicastro
Secure Source,
Inc.
Since September 11, 2001, this new phrase has taken up residence in our lives,
bringing with it the hope that Americans can some day return to a world in which
they do not have to think about the unthinkable. Like many of my friends and
neighbors, I have been tempted to entertain this new guest as each year passes.
For me, the gut-wrenching feeling of horror that historic day created has subsided.
Already, the incoherent image of a jumbo jet piercing the clean glass façade
of the World Trade Center, followed by the site of panic-stricken New Yorkers
fleeing a massive wall of dust and glass, is fading to memory. Today, I struggle
to remind myself that this new guest is an unwelcome and dangerous presence.
As the head of a security firm with operations in some of the most tumultuous
regions in the world, suspicion has become second nature to me. The behavior
is something I adopted as a young Marine stationed at the American embassy in
Beirut just before the city erupted into all-out civil war. Like the residents
of Beirut before them, Americans must now live in a new reality where concerns
for their personal level of safety are permanent.
Today, people throughout the United States are starting to ask new questions.
Are we safe? Is it safe to travel, to go to work or school? Should I take the
kids to the ballpark? What are the chances that my business will be shut down
because an al-Qaida operative or some U.S.-born antigovernment extremist sets
off a chemical, biological, or nuclear weapon?
These questions are the right questions to ask, and they are long overdue.
But more importantly, the simple act of asking them is not enough. Too many
Americans embrace the fantasy of "normalcy" and refuse to accept the unsettling
facts of their new reality. This is a self-imposed state of mind, and at our
company, we have a term for it: total lack of awareness (TLOA).
The Lesson of September 11: Preparation Saves Lives
What have we learned since the atrocities of September 11, 2001? Let's review
what happened: A small group of trained and well-financed Islamic extremists
exploited America's airline security weaknesses, enabling them to murder thousands
of innocent people and shock the world.
The security failings leading up to that tragic day included breakdowns of
epic proportions at the Central Intelligence Agency (CIA), Federal Bureau of
Investigation (FBI), and other government agencies. We now know that numerous
warning signs which could have tipped off federal officials about the attacks,
and possibly prevented them, were overlooked. A poor system that allowed foreigners
into the United States, but failed to keep track of their whereabouts, made
it all the easier for the terrorists to carry out their evil mission.
Up until September 11, America had been dealt some harsh blows—the World
Trade Center bombing in 1993 and the Oklahoma City bombing in 1995—but by and
large we had a Total Lack of Awareness when it came to terrorism. Terrorism
was something that happened in foreign cities like Beirut, Tel Aviv, Dublin,
Rome, Bogotá, and Tokyo.
The horror of that crisp, sunny morning in September changed all that. It
has now been over 2 years since September 11, and many Americans seem to think
that we are safe once again, and security should be relaxed. Complacency is
setting in. This is a dangerous trend. If there is one thing we can be sure
about when it comes to terrorists, it is that they are patient, methodical,
and committed to creating death and destruction here in the United States. Also,
they strike when you least expect it.
Having lived in Beirut, I can remember what it was like to live in a place
where you never knew whether a sniper, bomber, or kidnapper was around the next
corner. Everyone in that city was attuned to danger signs. People were always
on alert and aware. That's what people do when they see their family and friends
terrorized on a daily basis.
In Beirut, people are cognizant of their surroundings because they have learned
that their survival depends on it. If a piece of luggage is left unattended
at the airport, concerned onlookers immediately report it to the authorities.
Likewise, if an automobile is parked in the same spot for an extended period,
it is immediately reported. Beirut is a place populated by generations of people
who grew up in the clutches of similar terror and planned violence. The same
is true for the residents of other cities who have for years been the targets
of terrorists.
America, however, is a place of freedom and is populated by generations of
people who grew up believing our country is immune to attack. Global terrorism,
including the potential use of weapons of mass destruction, unsettles us all.
But even in the wake of September 11, most Americans still see the problem as
a "national security" issue and not a "personal" issue. So when it comes to
security, Americans have one thing in common: TLOA. During the last 2 years,
we have not yet scratched the surface when it comes to adequately protecting
critical infrastructure businesses and the American communities they serve.
The bottom line is that we are still woefully ill-prepared to counteract the
threat of terrorism.
Businesses Need To Address Security Concerns
Recently, the CBS television show 60
Minutes aired a segment called "U.S. Plant: Open to Terrorists." The
report demonstrated how easy it is for an unarmed adversary to illegally gain
access to dozens of plants in major metropolitan areas, putting over a million
people at risk in the event of a terrorist attack.
Another investigative reporter, Carl Prine of the Pittsburgh Tribune-Review, began probing
chemical plant security in March 2002—well after the U.S. government had warned
the companies that they were potential targets. In all, Mr. Prine visited 60
plants in major cities, including Chicago, Baltimore, Pittsburgh, and Houston.
He conducted his visits in broad daylight, wearing his press pass and carrying
a camera. In Chicago, Mr. Prine climbed a large storage tank containing thousands
of gallons of chemicals and waved to employees below. The hazardous chemicals
this reporter had open access to ranged from anhydrous ammonia to boron triflouride,
a deadly colorless gas that, in the hands of terrorists, could inflict mass
casualties.
I have been a professional working in the security industry for over 25 years.
Part of the consulting work we do involves operations security (OPSEC) assessments
where we take the role of the adversary to expose security weaknesses in an
effort to tighten security measures and controls. We have conducted many such
assessments since September 11, and while I am not at liberty to disclose our
clients' names, the weaknesses we exposed are frightening. I can unequivocally
say that the 60 Minutes report is not
unusual. In fact, it's the norm.
In 2002 we conducted a review of security at manufacturing plants with operations
throughout the United States and around the world. Each facility was located
near a population center of several million people. Chemicals and gasses used
in their businesses were deadly. Virtually every plant was accessible by either
tailgating behind employees that were TLOA or by "looking like you belong and
giving a friendly wave to the guard." Dock doors were open and unprotected,
alarm systems failed, closed-circuit television was ineffective, and many company
vehicles located on-site had a key in the ignition.
But this company was proactive about security. They did the right thing.
They conducted a security vulnerability assessment, and they communicated the
results to employees. In addition, they instituted changes in policy, procedures,
and capital improvement items, such as electronic access control, intrusion
detection systems, and closed-circuit television on an enterprise basis.
There are hundreds, if not thousands of American businesses that deal with
hazardous materials on a daily basis that still have done nothing about security.
Oil refineries, chemical-manufacturing plants, food processing facilities, trucking
companies, train operators, and manufacturers of all kinds still have a TLOA
when it comes to security. When properly conducted, a security vulnerability
assessment points out weaknesses in physical security, structural integrity,
protection systems, procedural policies, communications systems, and the like.
These assessments are a precaution that may never be tested. But if there is
a terrorist attack, they save lives and money.
The Cost of Being Secure
Instead of conducting these assessments, however, too many executives are
still wondering why they should bother. After all, the thinking goes, nothing
has happened since September 11, so the coast is clear, right? The state of
the economy has only encouraged this attitude: As part of the need to keep costs
down, businesses are not willing to spend money on security or any other service
that doesn't immediately increase revenue. Given the economic disincentives,
even the airlines aren't ramping up security without either being mandated to
do so by government or by seeing a positive return on their investment. Unfortunately,
too few corporate executives are willing to embrace the idea of tightening security
as a precautionary and cost-saving measure.
But what if they did? This is the question more executives should be asking.
The fact is there are costs associated with the failure to be proactive—even
if a terrorist attack never happens. If companies fail to implement their own
security measures, they risk the chance that the government will mandate change.
Many executives can attest to what happens then: one day, some bureaucrat comes
along and demands that a company implement some "special interest" driven fix
that doesn't resolve the critical issue and, instead, forces the company to
waste money.
Recently, I was speaking at an aviation conference when one of the panelists,
the owner of one of America's largest fixed based operators, told me how officials
from the U.S. Department of Homeland Security forced him to erect a 7-foot fence
around his property. When he researched the cost, he learned that chain link
fences come in 6-, 8-, and 10-foot heights. To buy a 7-foot fence costs 30 percent
more. The government official told the owner that this was the requirement and
there was no way around it.
How ludicrous is that? You don't have to be a security expert to know that
an 8-foot fence is a better deterrent than one that's a foot shorter. But what
if the owner had gone to the expense of installing the fence before the Homeland
Security "expert" showed up? He would have met the requirement ahead of time,
saving himself 30 percent of the fence's cost, not to mention the hassle of
interacting with a federal regulator. But what scares people off is the chance
that the bureaucrat could force the owner to tear the fence down and put in
a 7-foot fence. Businessowners need protection when government agencies have
a TLOA.
This is not to say that businessowners should act rashly when it comes to
implementing measures. Rather, we need to systematically apply the right incentives
that reward business and industry for being proactive—conducting assessments
on their own and developing effective security countermeasures to reduce vulnerability.
Essentially, Americans need to change the way we behave. I believe this change
is nothing short of a major cultural change—a Security Revolution if you will,
in which everyone takes responsibility for their security. In this system, lawmakers
should give tax breaks to those companies that voluntarily implement effective
security controls into their business. Those security controls should including
training risk engineers to better identify security risks. Similarly, insurers
should give financial incentives for conducting third-party security assessments
by offering lower premiums to those customers that implement recommendations
for security improvements.
Incredibly, when it comes to offering rates for terrorism insurance, insurance
companies do not differentiate between those companies that do nothing to mitigate
risk and those that do. Outside the company, the banking industry, the Small
Business Administration, and other lenders should be more stringent about lending
money to businesses that do not have security and crisis response plans. These
plans should be based on the risk posed to the business operation and the public
at-large.
Conclusion
The United States will continue to be a sitting duck for any terrorist until
the right attention is focused on the problem. Although achieving adequate effective
security is a complex problem, it is not insurmountable. We can correct this
precarious situation before something bad happens ... again.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author's employer or IRMI. Expert Commentary articles
and other IRMI Online content do not purport to provide legal, accounting, or other
professional advice or opinion. If such advice is needed, consult with your attorney,
accountant, or other qualified adviser.