| https://sm.asisonline.org/Pages/School-Security-Trends.aspx | School Security Trends | GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p>School security often involves response tools, from mass notification to surveillance to reporting. However, experts note that trends are moving away from technology as a single solution to prevention-based programs centered around information sharing, all-hazards training, and public-private partnerships.</p><p>Preventing a tragedy often starts with getting critical information into the right hands. </p><p>Take the case of two teens in Spotsylvania County, Virginia, who were arrested and charged with conspiracy to commit murder in October 2015. The two had plans to phone in a bomb threat to their school, then shoot people as they evacuated, CNN reported. A school resource officer discovered that one of the boys had threatened violence on the Internet, and the resulting investigation uncovered the plot. </p><p>In December 2015, an anonymous tip was sent to a Denver school district’s “Text-a-Tip” threat reporting hotline. Based on that information, two 16-year-old girls were found with plans to commit a mass killing at Mountain Vista High School. They were arrested and charged with conspiracy to commit first-degree murder, reported Reuters. </p><p>These stories, and many like them, have a common thread throughout: critical information was reported and acted upon in a timely manner, stopping any plans to commit harm. While some security experts do not like to classify tragedies as preventable, they say there are key threat indicators that pointed to the mass shootings and other attacks before they occurred. If communities, schools, and law enforcement work together to identify and connect these dots, future threats could be stopped. </p><p><em>Security Management </em>speaks to experts about their experience conducting threat assessments in schools and communities. </p><h4>Connecting the Dots</h4><p>After the December 2012 Sandy Hook shooting that killed 20 elementary-age children and six educators, Connecticut Governor Dannel Malloy created a 16-member panel to review policies pertaining to school safety, gun-violence prevention, and mental health. The panel recommended in a 277-page report that all schools create safety committees that include police, first responders, administrators, and custodians. The report also urged each school to take an “all-hazards” approach to safety and security training for faculty, staff, and students. </p><p>Furthermore, the panel recommended that schools form threat assessment teams that “gather information from multiple sources in response to indications that a student, colleague, or other person’s behavior has raised alarms.” The report cites the U.S. Secret Service’s behavioral threat assessment model, which has been adopted for educational institutions, the workplace, and military settings. </p><p>“Once a team has identified someone who appears to be on a pathway to violence, the team ideally becomes a resource connecting the troubled child, adolescent, or adult to the help they need to address their underlying problems,” states the report, which goes on to say that such multidisciplinary teams can conduct risk assessments when questionable behaviors arise. “These would not only identify students at risk for committing violence, but also serve as a resource for children and families facing multiple stressors.” </p><h4>Partnerships</h4><p>As outlined in the Sandy Hook report, it is critical for organizations, schools, and communities to take an all-hazards approach to assessing and preparing for threats. If there is a dedicated platform or channel where they know they can report pertinent information, those dots can be connected in a meaningful way to prevent tragedy. </p><p>Two security experts share best practices with Security Management based on their experiences with threat assessments. These programs were bolstered by building partnerships with law enforcement and the community. </p><p>Working with stakeholders. Sometimes a threat assessment reveals an obvious problem that needs fixing, while other issues are uncovered only by working and communicating with stakeholders. Such was the case for school security professional Gary Sigrist, Jr., CEO and president at Safeguard Risk Solutions. </p><p>He tells Security Management that when he first started working at the South-Western City School district in Ohio, there were some obvious changes that needed to be made. “We had building principals who told their staff members they weren’t allowed to call 911 [in an emergency], that they have to call the office first,” he says. “We changed that.” </p><p>There was one building principal who told the cafeteria cooks that if there was a fire in the kitchen, not to pull the fire alarm until they had notified him first. “I brought the fire marshal in, and we had a conversation about that,” he notes. </p><p>Sigrist explains that working with law enforcement isn’t always a seamless process; sometimes schools and police in his district differed on their vision for a safe and secure environment. </p><p>“It’s not that the police were wrong, it’s just that some of their goals and objectives didn’t sync with the goals and objectives of the school,” according to Sigrist. But establishing regular meetings with law enforcement and other first responders was key to successful collaboration. “The police would say, ‘we think you should do this,’ and the school could say, ‘that’s not a bad idea, but let’s look at it from the point of view of the school,’” he notes. “Fire drills became better because we involved the fire department in the planning of our drills, where our command posts would be, and how we were going to check students in.” </p><p>He adds that first responder collaboration should go beyond just police and fire; schools rely on medical professionals when faced with health epidemics, for example. “When the Avian Flu and H1N1 sprang into effect, we worked with our county and state boards of health, and were able to develop a pandemic plan,” he says. “We had those subject matter experts.” </p><p>Over the course of his career at SouthWestern City Schools, Sigrist twice helped secure the Readiness and Emergency Management for Schools (REMS) Grant, in 2008 and 2010, from the U.S. Department of Homeland Security. These funds helped him establish many safety programs around the district. “Those are things people say, ‘wow, you must be a wonderful person to be able to get all of this done’–no, we had grant money,” he says. “It’s amazing what you can do with half a million dollars in grant money, and also the right support from the superintendents.” </p><p>No matter how prepared a school is for an emergency, those plans are truly put to the test when disaster strikes. Such was the case for South-Western City Schools when an explosion occurred at an elementary school. </p><p>“We had a building in a rural area, and the water table shifted, causing methane gas to build up in the basement. When it built up to a certain level with the right oxygen mix, there was an explosion,” Sigrist says. A custodian was injured, but everyone was able to evacuate the building safely as they had in many drills before. </p><p>The staff had been trained on how to function as a crisis team that was three members deep. Because the principal was not present at the time of the explosion, the building secretary assumed the role of incident commander, safely evacuating everyone from the building. “And it’s just evacuation training,” he says. “We never trained her on what to do when a building blew up.” </p><p>There were some key takeaways from the event that the district saw as areas of improvement. “Did we have lessons learned? Yes,” says Sigrist. “This happened almost right at dismissal, and we had school buses parked right in front of the building. Well–they didn’t move.” </p><p>These buses prevented fire trucks and other emergency vehicles from pulling right up to the scene. “And so one of our lessons learned is, if you have an incident, how are the buses going to pull out of the parking lot so the fire equipment can get in?” </p><p>Hometown security. Schools are a major focal point of the community, but they are not the only one. Societies are also made up of private businesses whose security is paramount to the overall environment of safety. Marianna Perry, CPP, a security consultant with Loss Prevention and Safety Management, LLC, explains that because about 85 percent of critical infrastructure in the United States is privately owned, “it makes sense that these businesses and communities partner with law enforcement to address problems.” </p><p>Perry has more than 20 years of experience in conducting threat assessments for private businesses, as well as communities, including school districts. She recounts examples of how these reviews helped strengthen those localities, businesses, and law enforcement alike. </p><p>While Perry was the director of the National Crime Prevention Institute, there was a particular community with high crime rates, homelessness, and drug problems, as well as health-related issues. “There were abandoned properties, rental properties in disrepair, homes that had been foreclosed,” she says. “We were looking for a solution to help fix this community.” </p><p>Perry helped form a team of key stakeholders and partners, including law enforcement, a local university, security consultants, area churches, and the local health department. The public housing authority was also a major partner, as well as some local residents and business representatives. Initially, everyone came together for a week-long training program. The goal was to involve all partners in helping to develop strategies to improve the overall condition of the neighborhood, which in turn would help prevent crime. She says that much of the training was centered on crime prevention through environmental design (CPTED), which predicates that the immediate environment can be designed in such a way that it deters criminal activity. </p><p>She adds that the training wasn’t just focused only on preventing crime, but on several aspects of the community. “The goal was to improve the overall quality of life for everyone who lived or worked in that neighborhood,” says Perry. </p><p>The training also helped the partners learn to speak a common language. “We had all of these different people from different professional backgrounds and business cultures, and we needed them all on the same page,” she says. “They needed to be able to communicate with each other.” </p><p>A critical outcome of the training program, she says, was facilitating interaction among stakeholders, as well as developing and building trust. “It was a really successful partnership, and a lot of good was done for that community because everyone worked together to achieve common goals.” </p><p>Businesses also benefit from such assessments. Perry recently conducted a security assessment for one organization that was located in an area with one of the highest violent crime rates in the city. “Management was very concerned about the safety of their employees,” she notes. </p><p>During the assessment, Perry recommended that the company install additional cameras on the perimeter of their property for added surveillance and employee safety. The company could also share camera footage with law enforcement by tying their camera system into the citywide surveillance program. Perry worked with a local vendor to install IP cameras to cover a 10-block area. A control center operator would then monitor the cameras, and if he or she saw suspicious activity, either a security officer would be dispatched to respond, or 911 would be called. “I think people are now embracing the concept of public-private partnerships because they’re beginning to realize that they work,” Perry says.</p><p>Training. Preventing and detecting threats, while challenging, is possible when stakeholders share critical information. Having a centralized place for reporting such information is key, as well as training students, employees, and the community on how to use those platforms. </p><p>However, if the threat remains undetected or cannot be stopped, organizations should conduct all-hazards training that covers a range of possible scenarios to ensure minimal damage and loss of life, says Kenneth Trump, president of National School Safety and Security Services. </p><p>“Active shooter is one concern, certainly, but it’s just that–one concern,” he says. “There’s a much greater likelihood that school employers are going to deal with a noncustodial parent issue multiple times during a school year than that they will ever deal—during their entire career working in the school—with an active shooter incident.” </p><p>Sigrist adds that having a laser-like focus on active shooter training can be a drawback for schools, because they lose sight of issues that have a greater likelihood of occurring. </p><p>“I asked one of my clients at a Head Start school how many times they have had a drunk parent show up to pick up a child, and they said, ‘it happens all the time,’” he says. “We still teach active shooter, but by teaching how to respond in an all-hazards approach, they will know how to take action.” </p> | | |
| https://sm.asisonline.org/Pages/Management-Trends.aspx | Management Trends | GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p><span style="line-height:1.5em;">Security managers already know that culture is key, that understanding generational differences can reduce conflict, and that effective leadership can pave the way to the C-suite. The next trend in the management field, behavioral economics, can help security design programs that get buy-in from employees.</span></p><p>What is the underlying theory of your security program? It may be about punishing bad behavior, with employees written up by managers and then referred to counseling. Or, it may be about rewarding good behavior, such as praise and performance awards for security compliance. </p><p>Chances are it’s some combination of the two, using both carrots and sticks. But there’s another, perhaps deeper, question that is often telling—why do people make choices to either comply, or not comply, with your security program?</p><p>All around us, there are small clues guiding those choices. It’s time security leaders started shaping those clues to protect employees, customers, property, and other assets. They can do so by using the applications of one of latest trends in social science—behavioral economics.</p><h4>Behavioral Economics</h4><p>Behavioral economics is the scientific examination of why people and organizations make the decisions they do, in an economic context. Its scientific pedigree has its origins in the 1970s, when technology was driving major improvements in brain research. At that time, new computing tools designed to assist in modeling, in tandem with Daniel Kahneman’s Nobel Prize–winning research on prospect theory (an economic theory that seeks to explain how people make decisions based on risk), provided a new research framework to explore how economic choices are made. Today, behavioral economics combines the practice of economics, neurobiology, and psychology to gain insight into why human beings act, or fail to act, in predictable ways.</p><p>At some level, most of us realize that <span style="line-height:1.5em;">our decision making is influenced by a variety of factors outside of our control, such as organizational norms, peer pressure, emotions, accepted stereotypes, and mental shortcuts. By closely analyzing these factors, behavioral economists can gain a sophisticated understanding of why people, and organizations, make the decisions they do—which factors take precedence over others, how different factors interact, and so on. They can also develop cues designed to steer a person or organization to a desired outcome. Such cues have been termed nudges; the people that help frame those decisions are called choice architects. </span></p><p>Public awareness of behavioral economics has slowly been gaining ground since the development of “nudge theory,” an offshoot of the science, by two academics, University of Chicago economist Richard Thaler and Harvard legal scholar Cass Sunstein. In their 2008 book Nudge: Improving Decisions about Health, Wealth, and Happiness, the two scholars postulate that there are subtle and blatant clues everywhere to influence behavior. (In the wake of his book’s success, Sunstein went on to serve as administrator of the White House office of information and regulatory affairs from 2009 to 2012.) Those clues may be accidental, but they can greatly impact the decisions we make, and there are scientific reasons for why they work or fail.</p><p>The authors argue that behaviors are guided just as much by on-the-spot decisions based on these clues, and the context these clues are found in, as they are by deeply held ethical or moral codes. Under the authors’ definition, a clue can be considered a nudge if two criteria are satisfied: the individual is free to choose it or not, and there is very little or no cost in choosing to go with the nudge as opposed to other options. In this way, nudges are meant to be subtle, not overtly coercive. </p><p>The nudge concept isn’t entirely new. We’ve been nudged in many ways since birth. It only takes a trip to the grocery store to notice that the sugary sweet cereals are stocked at exactly the eye level of a seven-year-old, while bran flakes occupy the upper shelves. Consumers’ decisions about what action to take are influenced largely by what is put into their path. At any given time, our brains are processing a mountain of information and sensory input, so easy choices, which require less effort than searching for another option, are often viewed by the mind as the correct ones. This is especially true if the clues and context surrounding those choices don’t make them seem especially important.</p><h4>Security Nudges</h4><p>Imagine having the ability to use nudges and clues as a designer and enforcer of a security program? The secret is that that you do. As a security manager, you have the ability to help make the correct choice for security the simplest choice for the user. In other words, you are a choice architect.</p><p>However, one concept must be understood before security managers can become effective choice architects. Thaler and Sunstein describe the concept as the difference between econs and humans. Econs are imaginary constructs developed by the writers of economics textbooks. They are people with the brilliance of Einstein, the self-control of Gandhi, and the logical prowess of a Vulcan who can predict reactions in a variety of environments. All econs do the same thing—and almost always, the correct thing—in any given situation.</p><p>In case you hadn’t noticed, we don’t work with econs. We work with humans. Humans are generally smart and well-meaning, but they are far from perfect in on-the-spot decision making. Further, humans are barraged every day with factors that drive them to do exactly the opposite of what their infinitely wise, long-range-thinking econ-selves would do. </p><p>Unfortunately, the idea that econs and humans are interchangeable continues to stick around in the world of security. The overwhelming majority of security policies today treat employees as econs, not as the humans they truly are. Econs don’t need assistance complying with our complex security policies, humans do. So the idea is to help nudge the humans in the right direction—toward security compliance. </p><p>Following are several examples of how nudge theory, and choice architecture, can be used in a security context. Gaming Speed </p><p>An interesting example of a security nudge comes from law enforcement in the form of a speed camera that rewards speed compliance. In 2008, the city of Stockholm, Sweden, introduced a speed camera along a problematic stretch of road in a town center. Initially the camera was placed to record the speed and license plates of violators, but later it was made the focus of an experiment in nudging. The camera would record not only the speed and license tag numbers of speeders, but also the speed and license tags of those who were respecting the 30 kilometer-per-hour (kph) speed limit. </p><p>At the end of the experiment, all drivers who were photographed driving at or below the speed limit were entered into a raffle, with the winner awarded a check for 20,000 kroner (roughly $3,000) partially paid by the fines of speeders. This spurred a dramatic change in average speed. Prior to the experiment, the average speed on that stretch of roadway was 32 kph. After the introduction of the “speed lottery,” the average speed dropped 22 percent, to 25 kph. </p><p>Besides being a successful nudge, the speed example is also an excellent example of gamification. It encouraged people to comply with speed limits and improve public safety, while also giving them entry into a larger game to win a tangible, but not budget-busting, prize. </p><h4>Out of Pocket</h4><p>Security nudges have also been employed to increase security efficiency and compliance at airports. One of the first took place at the Nepalese airport of Tribhuvan, where officials noticed a marked increase in graft among airport customs inspectors. </p><p>Nepal was hard hit in the economic slowdown of 2008, and many Nepalese sought employment outside of the country to support family members. When these expatriates returned to Nepal, crooked customs inspectors preyed upon them by insisting on bribes in exchange for quick facilitation through customs while they were in possession of foreign currency, which otherwise could have delayed their entry. </p><p>Nepalese anticorruption authorities fought back by redesigning the uniforms of airport customs workers to remove all the pockets. Collecting payola becomes much more complicated without a convenient pocket to quickly stash the loot. The lack of pockets also served as a reminder for the customs workers to adjust their behavior and avoid illegal activity. Every time employees reached for their pockets, they were reminded about corruption and management’s refusal to condone it. Although there has been no formal study performed to assess the effectiveness of bribe-resistant trousers, news reports have found that graft and bribe-taking has been reduced at Tribhuvan airport. </p><p>Creative nudges also help the flow of lines at U.S. airport security checkpoints. By and large, passengers choose the shortest available line to proceed through security screening. However, each passenger situation is different, so the shortest line may not necessarily turn out to be the fastest—six frequent business travelers familiar with airport security routine might proceed much faster than a vacationing family of four that fly infrequently. </p><p>So, airports near ski resorts have taken to designing self-selection lines marked according to a ski slope theme: Green Circles for families and those needing special assistance, Blue Squares for frequent travelers somewhat familiar with TSA procedures, and Black Diamonds for the expert travelers. </p><p>Under this system, there is no enforcement of lanes; passengers are free to choose whichever line they wish. However, by encouraging people to make proper line choices through color coding, security personnel are able to channel passengers toward the type of security screening they would be best served by, and increase the overall efficiency and security of the entire system. In nudge theory terms, this is a good example of placing a “designed decision” in front of a security customer.</p><h4>Engage to Nudge</h4><p>The National Retail Federation estimated 2014 retail losses due to inventory shrinkage at $44 billion. Facing such challenges, the field of loss prevention is one of the most dynamic in security today, and is also a discipline full of nudges. </p><p>Most retail stores have some form of CCTV monitoring for the prevention and investigation of theft, and this technology can be used to nudge customer behavior. The most visible nudge is conveyed through the placement of a live CCTV video feed at the store entrance. This provides an immediate environmental reminder to would-be thieves that they are being watched and the store is on the lookout for shoplifters. </p><p>Another frequent nudge is conveyed through employee engagement with customers. According to the ASIS Retail Loss Prevention Council, a staff that greets customers and maintains active engagement with them can significantly reduce retail theft. </p><p>There are actually two nudges here. The first is the interaction between the employee and shopper; the customer is reminded that the employee is committed to the job, and consequently of the risk of getting caught if the shopper decides to shoplift. The second is the employer nudging the employee to habitually engage customers. This is usually accomplished when the employer sets default rules; it becomes the expected norm of all employees through training, feedback, and evaluations. The added benefit is that it allows security and customer service to be on the same side of an issue, and that’s an increasingly rare opportunity. </p><p>Other possible nudge cues to deter shoplifting are explored in the paper Nudge, Don’t Judge: Using Nudge Theory to Deter Shoplifters, by Dhruv Sharma and Myles Scott of Lancaster University. They include signs that offer to donate profits not lost to shoplifting to charity; attention-grabbing events such as music or videos when customers interact with certain products; and applying the general premise of crime prevention through environmental design (CTPED) to store layouts to increase visibility and surveillance coverage. </p><h4>Nudge Training</h4><p>Security nudges have also been incorporated into awareness training. In 2014, the XL Group, a global insurance provider, sponsored an employee challenge. Each time an employee viewed one of the company’s security videos, XL would donate a dollar to charity. The videos were short (usually about a minute long), and focused on helping the employee secure not only vital company information, but personal information as well. The donations also appealed to an employee’s sense of social responsibility by involving a charity. The campaign managed to amass over 10,000 views of security videos, and a hefty charity donation.</p><p>Some U.S. government agencies are also using nudge theory practices in security training. In an effort to train employees on the proper ways to respond to email phishing attacks, one agency offered the following incentive: everyone who correctly followed procedure in a phishing attack exercise was made eligible for a small “Phishing Derby” prize. The cost of the prize was minimal (less than $50 dollars), but offering it greatly increased participation compared with previous exercises. </p><p>Another agency took a different approach. When the agency sent out reminder notices to employees to complete mandatory security training, it made sure that the notices included the percentage of other employees who had already completed the training. Thus, this approach used peer pressure to conform in a nudge aimed at achieving the desirable result. The result was a higher completion rate, and in a shorter time, than previous years. </p><h4>Developing Security Nudges</h4><p>Nudges can be used anywhere a user is offered a choice to do the correct thing versus the incorrect thing. The keys are understanding your security policy, understanding your users, and sustaining a willingness to experiment. </p><p>The best place to start is with your own security metrics, especially those that are the most problematic. What areas, process, or programs have been the most troublesome in terms of compliance? A brainstorming session with a good cross section of security personnel (who in this context are serving as choice architects) often results in useful data and ideas for developing nudges. This cross section should include not only program leaders but program users, who are often the source of the most valuable insights—they provide the “ground truth” on how effective existing security measures really are, and on the parts of the program that are most at risk of noncompliance. </p><p>It’s also important to recognize what kind of decision we’re trying to influence, in the terms sketched out by Thaler and Sunstein:</p><p> • A complex decision: A decision with many variables</p><p> • An overwhelming decision: A decision with many options</p><p> • An infrequent decision: A decision that comes up very rarely</p><p> • A low feedback decision: No obvious feedback from the decision</p><p> • A delayed consequences decision: Where the feedback comes much later</p><p><br> </p><p>Then, according to Thaler and Sunstein, we need to figure out what flavor of nudge to use:</p><p> • Default rules: Change the rule for everybody to a compliant default</p><p> • Environmental reminders: Posters, checklists</p><p><span style="line-height:1.5em;">- Commitment reminders: Constant reminders to steer behavior, like wearing a fitness band as a reminder to take the stairs</span></p><p> • Designed decisions: Placing the correct decision in front of the customer at the instant the decision needs to be made</p><p><br> </p><p>When implementing nudges, it’s always important to keep two things in mind: ethics and metrics. Ethical nudges don’t compromise the autonomy or the integrity of employees and customers. They simply nudge them into making the correct decision regarding policies they have already agreed to.</p><p>Metrics are necessary both to ensure that the nudges are effective and to justify resources needed to implement them. Few things in business are free; even things that seem small normally have some kind of cost attached to them. The best way to address management on these issues is the cost-benefit approach: have a story to tell, explain the financial and reputational costs of noncompliance, and come prepared with a full cost accounting of the nudge and a plan to for implementation. Make approving your plan the “easy” thing to do. If you haven’t caught on by now, you’re nudging your management. </p><h4>Sample Security Nudge</h4><p>Here’s an example case of how security nudges can be developed. Nudgella, the security manager at Company X, has noticed an increase in security incidents involving sensitive company information left unattended in the copy room. So Nudgella sets a meeting with the head of the guard force, along with representatives of human resources and IT, to determine the causes and seek solutions. </p><p>In the meeting, it is determined that the issue with the copy room is that employees are printing sensitive documents to the community printer and then failing to retrieve them. Thaler and Sunstein would call this a “delayed consequences decision.” The person actually printing the document doesn’t suffer any consequences for failing to retrieve it for a period of some time, if at all. </p><p>Those attending the meeting brainstorm solutions, and three rise to the top for possible implementation: an environmental reminder in the form of signs placed around the office reminding employees of their responsibility to safeguard sensitive information; a default rule that would switch all employees to a “secure print” mode where they would be required to input a code at the printer to retrieve their document; and a commitment reminder in the form of a pop-up window reminding employees to retrieve their printouts every time the print button is clicked on. </p><p>Now, the managers need to convince the C-suite. They arrange a meeting, and the security manager brings in a well-developed plan that can be implemented at minimal cost. Since the IT folks were brought in at the beginning, the technical solutions of secure printing and pop-up banners are well thought out. Since HR was part of the process, any concerns about ethics and privacy were addressed early on. The guard force has already agreed to make periodic rounds of the copy room to assess compliance and provide metrics reporting. </p><p>The CEO and CIO couldn’t be happier with the effort. Nudge accomplished. </p><h4>Embrace Choice, Embrace Change<br></h4><p>Here’s the big picture question for security managers: Is it easier for an employee to comply with specific security policies and procedures, or not comply? If the answer is not comply, some nudges may be in order.</p><p>Given its importance, security compliance can be seen as a high-value, all-encompassing moral imperative. But managers should also view it as a series of choices made every minute of every day by every individual. Thus, it is the job of the security professional to enable every individual to make the correct choice by making those choices the easiest and least painful ones. Security managers are not just compliance enforcers. They should also embrace their role as choice architects, which will lead them to become change architects as well. </p><p>--<br></p><p><em><strong>Sean Benson, CPP</strong>, is a program security specialist at ISS Action, Inc. He is currently leading technology protection efforts on NASA’s Space Launch System. He is the chairman of the ASIS North Alabama Chapter.</em></p> | | |
| https://sm.asisonline.org/Pages/Soft-Target-Trends.aspx | Soft Target Trends | GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p>When most people think of Orlando, Florida, Walt Disney World Resort comes to mind. The world-renowned theme park makes Orlando the second most popular travel destination in the United States. But there is much more to the city than Mickey and Minnie Mouse. </p><p>Beyond the complex infrastructure that supports Orlando’s 2.3 million citizens, the city is filled with parks and wildlife, the largest university in the country, and a vast hospitality industry that includes more than 118,000 hotel rooms. And International Drive, an 11-mile thoroughfare through the city, is home to attractions such as Universal Orlando Resort, SeaWorld Orlando, and the Orange County Convention Center, the site of ASIS International’s 62nd Annual Seminar and Exhibits this month. </p><p>Hospitality goes hand-in-hand with security in Orlando, where local businesses and attractions see a constant flow of tourists from all over the world. And at the Dr. Phillips Center for the Performing Arts, which hosts events ranging from Broadway shows to concerts to community education and events, a new security director is changing the culture of theater to keep performers, staff, and visitors safe.</p><h4>The Living Room of the City</h4><p>Open since November 2014, the Dr. Phillips Center spans two blocks and is home to a 2,700-seat main stage, a 300-seat theater, and the Dr. Phillips Center Florida Hospital School of the Arts. The building’s striking architecture, which includes a canopy roof, vast overhang, and a façade made almost entirely of glass, stretches across two blocks and is complemented by a front lawn and plaza.</p><p>After the June 11 shooting at Pulse nightclub less than two miles south of the theater, that lawn became the city’s memorial. Days after the shooting, the Dr. Phillips Center plaza, normally used for small concerts or events, hosted Orlando’s first public vigil. A makeshift memorial was established on the lawn, and dozens of mourners visited for weeks after the attack.</p><p>Chris Savard, a retired member of the Orlando Police Department, started as the center’s director of security in December, shortly after terrorists killed dozens and injured hundreds in attacks on soft targets in Paris. Prior to Savard, the center had no security director. Coming from a law enforcement background to the theater industry was a challenging transition, he says. </p><p>“Before I came here, I was with an FBI terrorism task force,” Savard says. “Bringing those ideologies here to the performing arts world, it’s just a different culture. Saying ‘you will do security, this is the way it is’ doesn’t work. You have to ease into it.”</p><p>The Dr. Phillips Center was up and running for a year before Savard started, so he had to focus on strategic changes to improve security: “The building is already built, so we need to figure out what else we can do,” he says. One point of concern was an overhang above the valet line right at the main entrance. Situated above the overhang is a glass-walled private donor lounge, and Savard notes that anyone could have driven up to the main entrance under the overhang and set off a bomb, causing maximum damage. “It was a serious chokepoint,” he explains, “and the building was designed before ISIS took off, so there wasn’t much we could do about the overhang.”</p><p>Instead, he shifted the valet drop-off point, manned by off-duty police officers, further away from the building. “We’ve got some people saying, ‘Hey, I’m a donor and I don’t want to walk half a block to come to the building, I want to park my vehicle here, get out, and be in the air conditioning.’ It’s a tough process, but it’s a work in progress. Most people have not had an issue whatsoever in regards to what we’ve implemented.”</p><p>Savard also switched up the use of off-duty police officers in front of the Dr. Phillips Center. He notes that it can be costly to hire off-duty police officers, who were used for traffic control before he became the security director, so he reduced the number of officers used and stationed them closer to the building. He also uses a K-9 officer, who can quickly assess a stopped or abandoned vehicle on the spot. </p><p>“When you pull into the facility, you see an Orlando Police Department K-9 officer SUV,” Savard explains. “We brought two other valet officers closer to the building, so in any given area you have at least four police cars or motorcycles that are readily available. We wanted to get them closer so it was more of a presence, a deterrent.” The exact drop-off location is constantly changing to keep people on their toes, he adds.</p><p>The Dr. Phillips Center was already using Andy Frain Services, which provides uniformed officers to patrol the center around the clock. Annette DuBose manages the contracted officers. </p><p>When he started in December, Savard says he was surprised that no bag checks were conducted. When he brought up the possibility of doing bag checks, there was some initial pushback—it’s uncommon for theater centers to perform any type of bag check. “In the performing arts world, this was a big deal,” Savard says. “You have some high-dollar clientele coming in, and not a lot of people want to be inconvenienced like that.”</p><p>When Savard worked with DuBose and her officers to implement bag checks, he said everyone was astonished at what the officers were finding. “I was actually shocked at what people want to bring in,” Savard says. “Guns, knives, bullets. I’ve got 25-plus years of being in law enforcement, and seeing what people bring in…it’s a Carole King musical! Why are you bringing your pepper spray?”</p><p>Savard acknowledges that the fact that Florida allows concealed carry makes bag checks mandatory—and tricky. As a private entity, the Dr. Phillips Center can prohibit guns, but that doesn’t stop people from trying to bring them in, he notes. The Andy Frain officers have done a great job at kindly but firmly asking patrons to take their guns back to their cars, Savard says—and having a police officer nearby helps when it comes to argumentative visitors.</p><h4>Culture, Community, and Customer Service</h4><p>There have been more than 300 performances since the Dr. Phillips Center opened, and with two stages, the plaza, classrooms, and event spaces, there can be five or six events going on at once. </p><p>“This is definitely a soft target here in Orlando,” Savard notes. “With our planned expansion, we can have 5,000 people in here at one time. What a target—doing something in downtown Orlando to a performing arts center.”</p><p>The contract officers and off-duty police carry out the core of the security- related responsibilities, but Savard has also brought in volunteers to augment the security presence. As a nonprofit theater, the Dr. Phillips Center has a large number of “very passionate” volunteers—there are around 50 at each show, he says. </p><p>The volunteers primarily provide customer service, but Savard says he wants them to have a security mindset, as well—“the more eyes, the better.” He teaches them basic behavioral assessment techniques and trends they should look for. </p><p>“You know the guy touching his lower back, does he have a back brace on or is he trying to keep the gun in his waistband from showing?” Savard says. “Why is that person out there videotaping where people are being dropped off and parking their cars? Is it a bad guy who wants to do something?”</p><p>All 85 staffers at the Dr. Phillips Center have taken active shooter training classes, and self-defense classes are offered as well. Savard tries to stress situational awareness to all staff, whether they work in security or not. </p><p>“One of the things I really want to do is get that active shooter mindset into this environment, because this is the type of environment where it’s going to happen,” Savard explains. “It’s all over the news.”</p><p>Once a month, Savard and six other theater security directors talk on the phone about the trends and threats they are seeing, as well as the challenges with integrating security into the performing arts world. </p><p>“Nobody wanted the cops inside the building at all, because it looked too militant,” Savard says. “And then we had Paris, and things changed. With my background coming in, I said ‘Listen, people want to see the cops.’” </p><p>Beyond the challenge of changing the culture at the Dr. Phillips Center, Savard says he hopes security can become a higher priority at performing arts centers across the country. The Dr. Phillips Center is one of more than two dozen theaters that host Broadway Across America shows, and Savard invited the organization’s leaders to attend an active shooter training at the facility last month. </p><p>“There’s a culture in the performing arts that everything’s fine, and unfortunately we know there are bad people out there that want to do bad things to soft targets right now,” Savard says. “The whole idea is to be a little more vigilant in regards to protecting these soft targets.”</p><p>Savard says he hopes to make wanding another new norm at performing arts centers. There have already been a number of instances where a guest gets past security officers with a gun hidden under a baggy Cuban-style shirt. “I’ll hear that report of a gun in the building, and the hair stands up on the back of my neck,” Savard says. “It’s a never- ending goal to continue to get better and better every time. We’re not going to get it right every time, but hopefully the majority of the time.”</p><p>The Dr. Phillips Center is also moving forward with the construction of a new 1,700-seat acoustic theater, which will be completed within the next few years. The expansion allows the center to host three shows at one time—not including events in private rooms or on the plaza. Savard is already making plans for better video surveillance and increasing security staff once the new theater is built.</p><p>“We really try to make sure that everybody who comes into the building, whether or not they’re employed here, is a guest at the building, and we want to make sure that it’s a great experience, not only from the performance but their safety,” according to Savard. “It’s about keeping the bad guys out, but it’s also that you feel really safe once you’re in here.” </p> | | |
| https://sm.asisonline.org/Pages/Resilience-Trends.aspx | Resilience Trends | GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p><span style="line-height:1.5em;">“Thousands have lived without love, not one without water,” poet W.H. Auden famously said. In many countries, enjoying a safe and secure water supply is something most take for granted. The United States, for example, has had an “unrivalled tradition” of low-cost, universal access to drinking water, says Robert Glennon, a water policy expert at the University of Arizona and author of Unquenchable: America’s Water Crisis and What to Do About It. In actuality, a safe and secure water supply is never a given, and there are signs that the recent water crisis in Flint, Michigan (covered in Security Management’s May issue), may be a canary in the coal mine for the future of America’s water. The U.S. water and wastewater system is in urgent need of repair and replacement; some of the piping dates back to the Civil War era, experts say. But federal and state funding appropriations have been insufficient for keeping water supply infrastructure in good repair.</span></p><p>“For years, there’s been a general inadequacy in funding,” Glennon says. As recent proof, Glennon cites the American Recovery and Reinvestment Act of 2009, commonly known as President Barack Obama’s $787 billion stimulus package. “A small fraction of that, less than 1 percent, was devoted to water and wastewater,” he explains.</p><p>The American Water Works Association has estimated that repairing the million-plus miles of water mains across the country, and expanding that infrastructure so that it can adequately serve the country’s growing population, could cost up to $1 trillion over the next 25 years. The U.S. Environmental Protection Agency (EPA) has a lower estimate: roughly $330 billion over 20 years.</p><p>Both of these estimates dwarf the existing $1.38 billion that state and local governments are spending annually on drinking water and wastewater infrastructure, according to statistics from the American Society of Civil Engineers (ASCE). (Using a comparable 20-year time frame, the ASCE estimate comes to roughly $28 billion, or only about 8 percent of the EPA’s estimate of needed funding.) </p><p> Besides inadequate funding for repair, demand is growing, not only from an increasing population but from high-tech industries. Large corporations with cloud computing operations occupy enormous industrial facilities that are air conditioned. “This requires a heck of a lot of water,” Glennon says. </p><p>In addition, environmental factors pose challenges to a secure U.S. water supply. In states like Florida, rising sea levels are pushing into coastal aquifers and causing saltwater intrusion, making the aquifers more saline and problematic for human consumption. </p><p>Worldwide, a possible future water crisis is a problem alarming many, in part because of its potentially disastrous cascading effects on the global economy. A survey released by the 2016 Global Economic Forum found that a water crisis is the top concern for business leaders over the next 10 years. Further in the future, the global water situation continues to look grim, by several measures. By 2030, a stable supply of good quality fresh water can no longer be guaranteed in many regions, and a 40 percent global shortfall in supply is expected, according to the Carbon Disclosure Program’s (CDP) Water Program.</p><p>By 2050, an inadequate supply of water could reduce economic growth in some countries by as much as 6 percent of GDP, “sending them into sustained negative growth,” says a recent World Bank report, High and Dry: Climate Change, Water, and the Economy. Regions facing this risk include India, China, the Middle East, and much of Africa. Water insecurity could also ramp up the risk of conflict and instability—droughts can spur a spike in food prices, which can in turn cause civil unrest and increase migration. While 2050 might seem quite far in the future, water-related challenges are happening right now. The World Bank report also found that 1.6 billion people currently live in nations that are subject to water scarcity, and that number could double over the next two decades.</p><p>Moreover, a water crisis can have a devastating effect on the global economy. The CDP’s Water Program estimates that, if current status quo water management policies are sustained worldwide, $63 trillion in assets will be put at risk. Such economic challenges are highlighting the importance of improved water governance, which includes an emphasis on positioning the water supply so that it is more resilient in the face of challenges due to demand, the environment, and other factors, says Hart Brown, who leads the organizational resilience practice at HUB International and is a member of the ASIS International Crisis Management and Business Continuity Council.</p><p>“In light of the case in Flint, as well as droughts, floods, and the potential competition for water resources, improved water governance is being brought to the forefront of many conversations,” Brown says. When resilience enters the conversation, the challenge becomes creating an “adaptive capacity,” or “diversification of the water and sanitation systems.” </p><p>However, there is no one resilience model that can be successfully replicated for all water supply and treatment plants, because each system is a unique combination of human, technological, and environmental factors, Brown explains. In the United States, a wide range of water systems could potentially benefit from resiliency upgrades, he says. Those include conventional utility piped water supply systems; dug wells and tube wells (wells in which a long pipe is bored into an underground aquifer); rainwater harvesting operations; unprotected water sources such as rivers and streams; and cooperative developments in areas that share transboundary water resources.</p><p> Improving the resiliency of any water system takes investment, but just as important, it takes sound science, Brown says. </p><p>“Water managers need access to the best available scientific information and water risk assessments to support these long-term water-related decisions, including the ability to forecast and plan for important capital expenditures,” he explains. Businesses also have a role to play, especially those that rely on water for production, manufacturing, agriculture, and power generation purposes, he adds. Some businesses are already being strategic in this area; they consider shared responsibility and sustainability of water systems a core function. </p><p>“Partnerships with local communities are important in the ability to overcome shared water risks,” Brown says. </p><p>Globally, improved resiliency and water management practices, if given sufficient investment, have the potential to pay tremendous dividends, the World Bank report argues. It calls for a three-point approach: improving resiliency to extreme weather events by improving storage capacities, reusing facilities, and other tools; optimizing the use of water through better planning and incentives; and expansion of the water supply, where appropriate, through recycling, desalination, and damns.</p><p>“While adopting policy reforms and investments will be demanding, the costs of inaction are far higher. The future will be thirsty and uncertain,” the report says.</p> | | |
| https://sm.asisonline.org/Pages/Compliance-Trends.aspx | Compliance Trends | GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p><span style="line-height:1.5em;">In r</span><span style="line-height:1.5em;">ecent years, security professionals have been bombarded with rules and regulations on corruption as well as court rulings on discrimination and harassment. The upcoming compliance trend centers around safety and health. A new rule on reporting workplace fatalities, injuries, and illnesses will bring workplace safety practices under scrutiny. Almost 5,000 U.S. employees were killed at work in 2014, a 5 percent increase from the number of reported fatal work injuries in 2013. And nearly 3 million people experienced a workplace injury or illness in 2014, according to the U.S. Department of Labor’s (DOL) Bureau of Labor Statistics (BLS). </span></p><p>To make data about these incidents more accessible to the public, the DOL’s Occupational Safety and Health Administration (OSHA) issued a final rule, Improve Tracking of Workplace Injuries and Illnesses, in May 2016, that requires many employers to electronically submit information about workplace injuries and illnesses to the government. The government, in turn, will then make this information available online in a public database.</p><p>“Since high injury rates are a sign of poor management, no employer wants to be seen publicly as operating a dangerous workplace,” Assistant Secretary of Labor for Occupational Safety and Health Dr. David Michaels said in a statement. “Our new reporting requirements will ‘nudge’ employers to prevent worker injuries and illnesses to demonstrate to investors, job seekers, customers, and the public that they operate safe and well-managed facilities.”</p><p>Additionally, Michaels said that greater access to injury data will also help OSHA better target compliance assistance and enforcement resources to “establishments where workers are at greatest risk, and enable ‘big data’ researchers to apply their skills to making workplaces safer.”</p><h4>What’s in the new rule?</h4><p>Under the Occupational Safety and Health Act of 1970, employers are responsible for providing a safe workplace for employees. As part of this act, OSHA already required many employers to keep a record of injuries and illnesses, identify hazards, fix problems, and prevent additional injuries and illnesses. </p><p>Under the new rule, all employers with 250 or more employees at a single facility covered by the recordkeeping regulation must electronically submit injury and illness information to OSHA in three forms: 300 (log of work-related illnesses and injuries), 300A (summary of work-related illnesses and injuries), and 301 (injury and illness incident report).</p><p>OSHA argues that, together, these forms will paint a picture of the number of injuries, number of fatalities, lost time, total lost days, total restricted work days, and the total number of employees at each location of a company.</p><p>And OSHA will be able to use it to answer certain questions. For example, within a given industry, what are the characteristics of establishments with the highest injury and illness rates? What are the characteristics of establishments with the lowest rates of injuries and illnesses? What is the relationship between an establishment’s injury and illness data and data from other agencies?</p><p>Facilities with 20 to 249 employees in certain high-risk industries will also be required to submit information from form 300A electronically. These are 67 industries identified by OSHA that have historically high rates of occupational injury and illness, including manufacturing, construction, urban transit systems, utilities, and more.</p><p>The requirement for facilities to submit the 300A summaries electronically goes into effect on July 1, 2017. If required, facilities must submit forms 300 and 301 electronically by July 1, 2018, and will be required to submit all three forms electronically by March 2, 2019.</p><p>OSHA will upload this data, after ensuring that no personally identifiable information is included, to a publicly accessible database. The details of the database, however, have not yet been released because OSHA is still creating it.</p><p>OSHA’s mission is to protect the safety and health of workers. This new rule, OSHA’s Office of Communications tells Security Management, will support that mission.</p><p>First, as previously noted, access to injury data will help OSHA better target compliance assistance and enforcement resources to establishments where workers are at greatest risk.</p><p>“The final rule’s provisions requiring regular electronic submission of injury and illness data will allow OSHA to obtain a much larger data set of more timely, establishment-specific information about injuries and illnesses in the workplace,” the rule says. “This information will help OSHA use its enforcement and compliance assistance resources more effectively by enabling OSHA to identify the workplaces where workers are at greatest risk.”</p><p>One example OSHA gives in the rule itself is that the data will help it identify small and medium-sized employers who report high overall injury and illness rates for referral to its consultation program. </p><p>“OSHA could also send hazard-specific educational materials to employers who report high rates of injuries or illnesses related to those hazards, or letters notifying employers that their reported injury and illness rates were higher than the industry-wide rates,” the rule explains.</p><p>The practice of sending high-rate notification letters, for instance, has been associated with a 5 percent decrease in lost workday injuries and illnesses in the following three years, OSHA says.</p><p>OSHA also maintains that publicly disclosing work injury data will encourage employers to prevent work-related injuries and illnesses.</p><p>The new reporting requirements are also designed to save government time and money. The agency believes that the new rule will convince “employers to abate hazards and thereby prevent workplace injuries and illnesses, without OSHA having to conduct onsite inspections.” </p><h4>What else does the rule do?</h4><p>Along with the electronic reporting requirements, the rule also reemphasizes whistleblower provisions for employees to report injury and illness without fear of retaliation. </p><p>“The rule clarifies the existing implicit requirement that an employer’s procedure for reporting work-related injuries and illnesses must be reasonable and not deter or discourage employees from reporting,” the office explains. “It also incorporates the existing statute that prohibits retaliation against employees for reporting work-related injuries or illnesses.” </p><p>Including the term “reasonable” is new for OSHA, says Edwin Foulke, Jr., partner at Fisher Phillips who cochairs the firm’s Workplace Safety and Catastrophe Management Practice Group and who was the head of OSHA from 2006 to 2008. </p><p>“Before, you were required to make sure that your employees knew that there was a system to report,” he adds. Now, however, OSHA requires that that system be a reasonable one.</p><p>While it is unclear how exactly OSHA is defining “reasonable,” it does explain in the rule that “for a reporting procedure to be reasonable and not unduly burdensome, it must allow for reporting of work-related injuries and illnesses within a reasonable timeframe after the employee has realized that he or she has suffered a work-related injury or illness.”</p><p>If employers are caught discouraging employees from reporting illness or injury, they can be cited by OSHA for retaliation. “Before, the employee had to file a complaint. Now, for an employer to get cited and to be penalized, OSHA can do that in an inspection under this new standard,” Foulke says. “So this is a whole new area, and they’re going to be looking.” </p><p>Actions that could be considered retaliation include termination, reduction in pay, reassignment to a less desirable position, or any other adverse action that “could well dissuade” a reasonable employee from making a report, the rule explains.</p><p>OSHA also has taken the stance in the rule that “blanket post-injury drug testing policies deter proper reporting” of workplace injuries and illnesses. Because of this, the rule prohibits employers from using drug testing—or the threat of drug testing—as a form of adverse action against employees who report injuries or illnesses.</p><p>“To strike the appropriate balance here, drug testing policies should limit post-incident testing to situations in which employee drug use is likely to have contributed to the incident, and for which the drug test can accurately identify impairment caused by drug use,” the rule says. </p><p>For instance, OSHA says it would not be reasonable to drug-test an employee who reports a bee sting or a repetitive strain injury. </p><p>“Such a policy is likely only to deter reporting without contributing to the employer’s understanding of why the injury occurred, or in any other way contributing to workplace safety,” OSHA explains.</p><p>However, if workers’ compensation laws require an employer to conduct drug testing, then this type of drug testing would not be considered retaliatory, OSHA adds.</p><h4>What should employers do? </h4><p>Because of potential liability and opportunities for citations, Foulke recommends that companies take several actions in response to the new rule. </p><p>For instance, employers should look at how they advise their employees to report injuries and illnesses under the record keeping standard. OSHA has said that companies can meet this requirement by posting the “Job Safety and Health—It’s the Law” workers’ rights poster from April 2015.</p><p>Employers should make sure that their reporting process is “reasonable and doesn’t somehow discourage people, because, if it is, they are going to get cited for it and maybe open themselves up to a whistleblower retaliation claim,” according to Foulke.</p><p>A whistleblower retaliation claim could be likely because this is an issue that OSHA has been increasingly focused on during the Obama administration’s second term, he says. </p><p>Employers also need to know their rights during an OSHA inspection, a process that many are unfamiliar with. For example, Foulke says that when OSHA comes in to do an inspection based on a complaint it has received, it will frequently attempt to expand the visit into a “wall-to-wall” inspection.</p><p>“If the employer doesn’t assert their rights and allows a wall-to-wall, then potentially they could have many more citations,” Foulke explains.</p><p>Additionally, the business community has expressed concerns that the new rule will force them to publicly reveal secret business details that were previously considered privileged and confidential.</p><p>“When you fill out the 300 logs and also the 300A summaries, they are going to talk about departments and processes—especially in the 301, you may have some information that may be somewhat proprietary,” Foulke says. “Employers are going to have to be very careful about what they put when they’re submitting their data, that they basically look and provide only the minimum that they are required to provide.”</p><p>And employers should also recognize how the data they submit to OSHA may be used once it is publicly available. This is because using the information from the 300 and 301 forms, analysts will be able to determine the death, injury, and illness rate of a particular company to compare it to the industry average. </p><p>“Now that data could be used by union organizers who want to try to organize a company to show how bad at safety they are,” Foulke explains. “They can take that data and say, ‘Look how many injuries and illnesses this company has.’”</p><p> “Plaintiffs’ lawyers could look at it and say, ‘Look at this company. They have all these injuries there. Obviously something is going on there, so I need to go out to that plant, find one of those employees who got injured, and throw a class action against the company for all these injuries,’” Foulke says. </p> | | |
| https://sm.asisonline.org/Pages/A-Conversation-with-the-FBI.aspx | Illuminating Going Dark: A Conversation with the FBI | GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p><span style="line-height:1.5em;">The Going Dark debate. It's been ongoing and reached its boiling point earlier this year when the FBI filed suit against Apple in an attempt to force the company to create a tool to break its default encryption on an iPhone 5c used by one of the San Bernardino shooters.</span></p><p>While the FBI found an alternative method to crack that particular iPhone and the court case stalled, encryption and access to digital evidence is still posing a problem for the bureau when it comes to investigations. </p><p><em>Security Management</em> Assistant Editor Megan Gates sat down with Sasha Cohen O'Connell, the FBI's chief policy advisor for science and technology, to learn more about these issues and the FBI's view of Going Dark. Their conversation has been lightly edited for clarity.</p><p><strong>Gates: From the FBI's perspective, what is the Going Dark problem?</strong></p><p>O'Connell: The issue for us is the inability to get access to digital evidence. This is not a situation where the U.S. Department of Justice is looking for new authorities; it is about exercising the authority we already have…and our inability to access content data, even with due process.</p><p><strong>Gates: When did the FBI begin noticing that it was having a problem obtaining content? Was it before Apple decided to move to default end-to-end encryption on its iPhone operating system?</strong></p><p>O'Connell: It was definitely before that point. There are folks in [the FBI headquarters building] who've been working this for over a decade. </p><p>It's something we've seen coming, and have been trying to raise warning bells about. The big difference was, as you noted, when things started to go to default end-to-end encryption. With Apple's announcement a year ago, it's just an exponential growth. It's not just the bad guys seeking out end-to-end encryption; it's about the bad guys' associates, and the bad guys' victims, and trying to exonerate people falsely accused of crimes.</p><p>When you reach a world of default, you're touching all of those people as well as just the small sub-set that might seek out that kind of end-to-end encryption.</p><p><strong>Gates: Beyond encryption, what are some of the other issues that you're seeing when it comes to Going Dark?</strong></p><p>O'Connell: Things like anonymization. There are situations where it's increasingly difficult for us to get to attribution—the ability to operate anonymously creates a whole set of issues for us when it comes to investigations. That's one kind of classic example.</p><p>There's a more basic example around simple data retention, too. We serve a warrant on a company, and they just frankly don't keep the data. So again, the outcome is the same. We don't have access with legal process to that content that we need.</p><p>And then the encryption piece, of course, is just the end-to-end encryption. We don't have a problem with encryption. We love strong encryption; we use strong encryption. We encourage others to do so. We have no issue with encryption. The issue comes when it's only that end user that has access.</p><p>We work all the time with companies that use, what we term, provider access. That works wonderfully, in terms of matching up with legal process. The easiest way to explain it is to look at the phone I carry. Nothing on it is classified, but there's a lot of sensitive information on it and it is encrypted.</p><p>But you better believe if I get hit by a bus tomorrow, the bureau can get into this. That's because there's an enterprise access point, that obviously we carefully manage. But it exists. And most companies use the same model.</p><p>Major e-mail providers, for business reasons, that want to push ads or scan for malware and scan for spam do this. You can't do that if you can't take content, so that's provider and controlled access.</p><p><strong>Gates: Why do you think that encryption use has increased dramatically over the past few years? Is it because of the increase in data breaches or a rise in privacy concerns after the Edward Snowden leaks?</strong></p><p>O'Connell: We're certainly not the experts. We don't know why the market does what it does. But I think, we encourage the use of encryption. So the FBI is out there saying, 'Use strong encryption.' And that is again, because of the increased focus on data security. As our lives move online, and our personal information moves online, there's no doubt that there's an increased concern around data security. We're leading that charge; there is no doubt about it.</p><p>What we want to point out is not throwing the baby out with the bathwater—not having data security at any cost. There are multiple values, so it is a balance between data security and other kinds of public safety issues.</p><p>There's never going to be absolute data security, so the question is, where in that range can we be? We see products today that exist in that safe range that also allow us to exercise our lawful authorities. We just don't want to slip to a place where we're in a situation where it's data security at all costs, at the expense of any other values.</p><p>If we're heading that way, we just want to make sure that we're doing that in an informed way—that we understand what it means when we go all the way to the end for data security.</p><p><strong>Gates: What's your ideal solution to the current problem? If the FBI could have anything it wanted, what would it want to see done?</strong></p><p>O'Connell: Director Comey's addressed this recently. He said his job is two things. One, right now we need to keep investigations moving forward. We have no option—that's our obligation. So we will do what we need to do within legal parameters to do that. That's where you've seen some litigation in the past couple months. </p><p>Then the other thing is he feels a real obligation to help inform the country to make informed decisions. Because at the end of the day, it is not our decision to make. But what we want to ensure is that people understand the trade-offs and the implications.</p><p><strong>Gates: Right now, there's no immediate solution. Beyond what Congress may or may not do, do you think the FBI needs more resources and needs to increase its technical knowledge and skill to keep pace with technology?</strong></p><p>O'Connell: We can't resource our way out of this problem. This is a global problem; this is a problem for our state and local partners who will never have the resources. If we continue on the trajectory we're on, there's no way to resource out of that.</p><p><strong>Gates: Many counter-arguments have been raised about Going Dark. One report from Harvard University and Hewlett said we're not Going Dark, that we're living in a golden age of surveillance. What do you think of that criticism?</strong></p><p>O'Connell: There's more data available today, so there's two issues. One, what's the denominator? Everything's online now, so there's more accessible. But you also have to remember, there's nothing left in the pocket.</p><p>In the past, we'd get a subject and there'd be pocket litter or there might be a written diary, or notes by the phone. None of that exists anymore.</p><p>Then we get to the nature of the data that's available, and this gets to the metadata conversation. 'Well, can't you just use metadata? Doesn't that solve all your problems?' Metadata is wonderful, we use it all the time. But there are some things that it will never do for us. Metadata will tell me that I'm talking to you…but can never tell us definitively what the content of that conversation is.</p><p>That has a number of problems. Maybe we know, based on other things, that we're planning an attack and the timing is being discussed, and the FBI doesn't know. So content is king when it comes to investigation and also prosecution, when you think about showing intent.</p><p>As we move up and request authority from the courts or inside our building for additional authorities, we often have to show that the metadata is not enough. If you're going to go up on a wiretap, part of the thing you have to demonstrate is that metadata is not enough.</p><p><strong>Gates: Other experts, like those quoted in the MIT report </strong><strong><em>Keys Under Doormats </em></strong><strong>and in the Cryptographer's Panel at the RSA Conference keep saying that the type of encryption the FBI wants people to use, provider access, is introducing vulnerabilities that someone else could potentially exploit and is not a good idea. What's your response to that criticism?</strong></p><p>O'Connell: When you talk about what is technically feasible it's important to distinguish between normative, academic conversation and a practical conversation. When you're in the world of normative and you're with folks who are academics—who I love and we want them involved in this process—the conversation is around perfect data security.</p><p>When you're in the world of real world limitations, we know there's no such thing as perfect security. People make tradeoffs every day. Perfect security outside of an academic context doesn't really exist. </p><p>Academically, they're correct. Any entry point, no matter how managed, does introduce vulnerability. Of course it does. But move over in the real world, where we use real products every day that for convenience, for advertising, for spam tracking, for a thousand reasons that also make sense to us, we're still within a reasonable risk or what the market has accepted as a risk. </p><p><strong>Gates: If the Going Dark issue isn't addressed, what's the worst case scenario from the FBI's perspective?</strong></p><p>O'Connell: We think about it in four buckets. One is we see a delay in cases. You see this, for example, in San Bernardino. There's a delay. If we can't get access to evidence, there's going to start to be a delay. </p><p>The second piece is, we see a diversion of resources. So when we have a situation, we ask people, 'Can you break in?' Sometimes we can. As our head of science and technology says, 'When the moon's aligned just right and I have a coat hanger, sometimes we can.'</p><p>But it takes a lot of resources, so we're taking those from other things we're doing. That has some impact on other work if we're just focused on one case and have a situation where we're successful, but it took three units of people two weeks. Again, you've got the delay problem, and now you also have the diversion of resources problem.</p><p>After that, you have the two scenarios we worry the most about. One, our inability to prevent something. In that time delay, something happens that we were unable to prevent because we couldn't see that content. Or, on the other side, we can't solve something. </p><p>Imagine a world where this is not solved. You're going to have the FBI slower, and state and local as well. You're going to see this across the country.</p><p><strong>Gates: The head of EUROPOL also recently came out and said that it's facing the same challenge. Do you see law enforcement beyond the United States having these same issues, and wanting similar access to data?</strong></p><p>O'Connell: Absolutely. All of our partners are in the same situation. Everyone we work with; everybody has the same challenges we do. </p><p>We're in a unique position because most of the companies that make the best products are here in the United States, so it amps up the issue for us. But there's no doubt that this is an international problem that will, probably, likely be solved with international norms. There's got to be some sort of consensus globally—to the extent that it can happen.</p><p><strong>Gates: Is it realistic to think that people are going to come together—internationally—to solve this Going Dark issue?</strong></p><p>O'Connell: I think that's what the companies want; frankly, it would be easier for them. What they don't want is a patch work of solutions…we've heard from companies that it would be nice if it was uniform globally because their worst case scenario is a patch work of different rules. And we're starting to head down that path. </p> | | |