National Security

 

 

https://sm.asisonline.org/Pages/Shaping-Sanctuary.aspxShaping SanctuaryGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-10-01T04:00:00Zhttps://adminsm.asisonline.org/pages/lilly-chapa.aspx, Lilly Chapa<p>​As the holding and deportation of illegal immigrants from the United States took center stage over the summer, cities and states felt increasing pressure to pick a side. Should they enact so-called sanctuary city policies, limiting federal involvement in their law enforcement activities, and foster relationships with immigrant communities? Or should they work with federal officials to assist in detaining and deporting illegal immigrants, sometimes for profit?</p><p>The Trump administration's sweeping crackdown on undocumented citizens has affected a swath of people, from families crossing into the United States illegally to immigrants who have lived in the country for years. Most of U.S. President Donald Trump's message surrounding immigration enforcement has revolved around arresting and deporting criminals, making jails and prisons a target for federal authorities. And as some communities have begun making decisions about their level of support for U.S. Immigration and Customs Enforcement (ICE) within local judicial systems, it became clear just how complex the issue is.</p><p>Travis County, Texas—home to the state's capital, Austin—enacted a policy that prevents detention of individuals based solely on their immigration status in November 2016. While Austin's police department has not taken a public stance on cooperation with ICE, leaders have stated they will not focus on a person's immigration status but will still partner with federal agencies in immigration matters if the case involves criminal activity. </p><p>Travis County's proclamation sparked state legislators to pass an anti-sanctuary bill that, among other things, allows all law enforcement officials to ask detained individuals about their immigration status and requires them to honor immigration detainment requests from ICE. And while Austin has fought back against the bill, several state, county, and city law enforcement agencies operate within the city—including the police department, four county sheriff's departments, and the Texas Highway Patrol—making it more difficult to enact an across-the-board sanctuary policy.</p><p>Similar complications are playing out further east. Charlotte, North Carolina, attempted to put immigration protections in place in 2015, passing a resolution that prohibited the city's police department from inquiring about the immigration status of the people it came across, but—much like in Texas—state legislators prohibited policies that curbed the collection of immigration status information. In this case, though, the Mecklenburg County Sheriff's Office has maintained an agreement with ICE that allows them to identify and detain illegal immigrants. </p><p>And taking precedence over the policy complexities within states, counties, and cities is Trump's 2017 executive order to withhold funds and otherwise punish some 300 cities and officials that do not cooperate with ICE. The sanctuary city ban entered a legal back-and-forth, with one court blocking the order nationwide, and an appellate court later determining that Trump could not withhold funds from cities, but that the nationwide block of the order was too broad. The case will be sent back to a lower court to determine whether a wider ban is needed.</p><p>While local police departments may implement policies to build relationships with the city's immigrant community, county sheriff departments—which largely own local jails—may have more impact on a community's sanctuary policies, says Bipartisan Policy Center (BPC) political analyst Cristobal Ramon.</p><p>"I think that as this issue has really been spreading across the country and become a core part of the debate, that's where the pressure is coming from," Ramon tells Security Management. </p><p>"Independent of what states are doing with the laws and on the ground, a county sheriff's office may promote cooperation or not promote cooperation with ICE for a range of different reasons."</p><p>Ramon coauthored a February 2018 BPC report on the nexus between immigrants, the immigration enforcement system, and local law enforcement. The report focuses on immigrants who are detained in local jails, either awaiting trial or serving out terms of less than one year. There are many aspects that go into what makes a sanctuary city, but Ramon says one of the cornerstone aspects is what goes on inside city jails.</p><p>"These agencies can have a variety of policies that promote or limit the capacity of ICE to access noncitizens in their facilities…and these policies can be independent of the local police departments who do the majority of arrests and bookings," the BPC report states. </p><p>Sheriff's offices are already deeply intertwined with ICE operations—about half of ICE's total detention population is housed in state and local jails and facilities, including one of Mecklenburg County's jails. The BPC report outlines the varying levels of involvement sheriff's departments can play in federal immigration enforcement, from identifying illegal immigrants and reporting them to ICE to complying with immigration detainers—where a jail will hold an individual for up to 48 hours beyond their scheduled release date so that ICE can take them into custody. "County governments that operate jails are not required to honor detainer requests under federal regulations," the BPC report notes.</p><p>Other formal agreements include 287(g) agreements, which delegate many of ICE's powers to local law enforcement. Under the agreement, local jurisdictions receive money to pay for the training of officials that will allow them to legally inquire into a person's immigration status, detain individuals beyond the time they would be held in local custody, and issue Notice to Appear documents to begin deportation proceedings. More than 75 jurisdictions have entered into 287(g) agreements, and almost half of those joined under President Trump's revised program. In 2017, 287(g) agreements led to the deportation of some 6,000 illegal immigrants.</p><p>BPC studied five metropolitan areas—Atlanta, Austin, Charlotte, Denver, and Los Angeles—and only Charlotte's county sheriff has a 287(g) agreement. Ramon points out that the Fulton County Sheriff's Office, which oversees jails in Atlanta, had previously participated in the program but did not join Trump's revised agreement because they could not justify participation in the program. </p><p>"They did not interact with enough undocumented immigrants, and said that it was impractical," Ramon notes. However, six other counties in Georgia recently joined the 287(g) program. </p><p>At the beginning of this year, ICE announced a new program, known as a Basic Ordering Agreement (BOA), which gives sheriff's departments $50 and an arrest warrant to detain an immigrant for 48 hours after he or she should have been released. BOAs allow participants to circumvent legal issues and liabilities that have cropped up with counties involved with 287(g). The act of holding individuals past when they should be released violates the Constitution, immigrant advocates argue, so local jails that hold immigrants past a normal amount of time can be subject to litigation—which is often successful. Since a BOA is an agreement rather than a contract, it allows participating counties to detain immigrants without fear of liability. So far, 17 sheriff's offices in Florida participate in the program, and that number is expected to increase.</p><p>Ramon points out that finances can play a part in whether cities are immigrant-friendly. Incentives such as the $50 BOA fee and 287(g) grants and reimbursements for housing immigrants may entice local law enforcement, he says. And, in a broader scope, allowing privately run ICE facilities to operate in an area can bring significant financial benefits. </p><p>"As the debate about family detention and separation is ongoing and cities and counties are thinking about whether they want these facilities in their area, one of the arguments is that these facilities also bring in jobs," Ramon notes. "There is that component of additional financial revenue or jobs being created through private facilities. It's just something else people are considering at the moment."</p><p>County sheriff departments' actions go a long way in defining a city's status as immigrant-friendly. Mecklenburg County Sheriff's Office, for example, has solidified Charlotte's standing as hard on illegal immigration, despite the city's attempt to pass sanctuary city policies a few years ago. </p><p>And in Austin, the Travis County Sheriff's Office has set an example by completely cutting ties with ICE and permitting its officers to reject requests to detain individuals based on their immigration status. </p><p>Other sheriff's offices around the country fall in the middle, where some such as Denver will honor detainer requests but won't hold immigrants past their release periods. Other jurisdictions like Los Angeles allow ICE into jails despite a citywide push to end cooperation with the agency.</p><p>"The very term 'sanctuary cities' belies the fact that there are many law enforcement agencies that may operate within cities, and that the police can also operate at county or state levels," the BPC report states. "Policy makers should carefully anal​yze the practices of different levels of law enforcement across each state to develop policies based on a better understanding of cooperation between ICE and local law enforcement agencies."</p>

 

 

https://sm.asisonline.org/Pages/Shaping-Sanctuary.aspx2018-10-01T04:00:00ZShaping Sanctuary
https://sm.asisonline.org/Pages/Getting-the-Green-Light.aspx2018-08-01T04:00:00ZGetting the Green Light
https://sm.asisonline.org/Pages/The-Returned.aspx2018-07-01T04:00:00ZThe Returned

 

 

https://sm.asisonline.org/Pages/Shaping-Sanctuary.aspx2018-10-01T04:00:00ZShaping Sanctuary
https://sm.asisonline.org/Pages/Book-Review-Left-of-Bang.aspx2018-09-01T04:00:00ZBook Review: Left of Bang
https://sm.asisonline.org/Pages/Cyber-Goals-Past-Due.aspx2018-08-01T04:00:00ZCyber Goals: Past Due

 

 

https://sm.asisonline.org/Pages/Cybersecurity-and-Infrastructure.aspx2018-10-01T04:00:00ZQ&A: Cybersecurity and Infrastructure
https://sm.asisonline.org/Pages/Portrait-of-a-Shooter.aspx2018-10-01T04:00:00ZPortrait of a Shooter
https://sm.asisonline.org/Pages/Zakaria-Touches-on-Turmoil.aspx2018-09-25T04:00:00ZZakaria Touches on Turmoil

 

 

https://sm.asisonline.org/Pages/Terror-Attacks-Are-Down,-But-Deaths-Are-Up.aspx2018-09-26T04:00:00ZTerror Attacks are Down, But Deaths are Up
https://sm.asisonline.org/Pages/Cyber-Trumps-Physical-as-Biggest-Threat.aspx2018-09-26T04:00:00ZCyber Trumps Physical as Biggest Threat
https://sm.asisonline.org/Pages/Book-Review-Anatomy-of-Terror.aspx2018-08-01T04:00:00ZBook Review--Anatomy of Terror

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/cyber-pirates-sail-the-digital-seas.aspxCyber Pirates Sail the Digital Seas<p>In the late 16th century, the British Empire granted official documents called “letters of marque” to seafarers, authorizing them to attack and pillage Spanish vessels in the New World. These privateers became known as Queen Elizabeth’s Sea Dogs; among them were the famous Sir Francis Drake and Sir Walter Raleigh. These privateers were essentially granted a license to commit piracy and help England gain a foothold in new territories–even when Spain and England were not at war. But some Sea Dogs decided to turn away from their queen and seek personal gain instead. One such man, Captain Kidd, was eventually arrested and executed for his mutiny. </p><p>Sea Dogs like Captain Kidd strayed far from their original purpose of helping build up the British Empire, and instead brought embarrassment to the crown. Eirik Iverson, director of product management at Tangible Security, compares such privateers to the Chinese nationals who have been accused of stealing trade secrets from U.S. firms.</p><p>Research by U.S.-based cybersecurity firms and, most recently, charges by the U.S. Justice Department, indicate that China is funding its own cyber privateers to spy on and steal secrets from U.S. businesses. But Iverson predicts that, like the British Sea Dogs, eventually the Chinese are going to feel some pain from their own privateers. He says the hackers “go where the opportunities are, and eventually that opportunity is going to be in China.” </p><p>As the evidence shows, China is not punishing its own cybercriminals who are attacking other nations. But the U.S. government took a broad step in prosecuting Chinese cybercrime in May when, for the first time, the Justice Department brought cyber espionage charges against five nation-state actors, all members of the Chinese People’s Liberation Army (PLA). </p><p>A grand jury in the Western District of Pennsylvania brought the charges, which accuse the hackers of infiltrating the networks of six U.S. companies and stealing information “from those entities that would be useful to their competitors in China,” according to the official indictment. </p><p>Advanced Persistent Threats</p><p>In February 2013, cybersecurity firm Mandiant released a well-publicized 60-page report on a group it refers to as APT1 (Advanced Persistent Threat 1), which it had suspected for some time was a state-funded group of Chinese cyberthreat actors. The Justice Department indictment alleges that the five hackers were a part of the same unit Mandiant names in its report. </p><p>From 2004 on, Mandiant collected IP addresses, command and control information, and other important data about the hacking group. In January 2010, Mandiant released limited information in a small public report to see how the group’s cyber activity was affected.</p><p> “We put out a ton of indicators about the infrastructure, the sort of nuts and bolts of where these actors were coming from,” says Laura Gallante, manager of threat intelligence at FireEye, a firm acquired by Mandiant earlier this year. “Then what we were able to do was watch what happened from that released infrastructure for the next year.” </p><p>Gallante explains that criminal activity generated by the machines belonging to those addresses subsided, and eventually stopped. The infrastructure Mandiant made public was no longer in use. “So there was an entire shift in the IP addresses, in the infrastructure that this group was using,” she says.  </p><p>After further observation of how the group operated, Mandiant concluded that there was evidence the group was linked to the Chinese PLA. For example, much of the malicious cyber activity was coming out of the army unit’s headquarters in Shanghai. In its report, Mandiant revealed that at least 141 breaches were directly attributable to the group. Further, Mandiant determined that the Chinese government was almost certainly directly sponsoring the hackers. </p><p>“Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support,” the APT1 report stated. </p><p>State Actors</p><p>Understanding that the group behind the recent cyber espionage charges is state-funded makes the allegations substantial, says Paul Tiao, a partner at Hunton & Williams and former senior cybersecurity counselor to the FBI. “What’s different here is that these are actually Chinese government employees. It’s the implications of the charges that are really damaging, as opposed to the nature of the charges themselves,” he notes. </p><p>The 56-page indictment outlines in detail the alleged cyber theft carried out by Chinese hackers against six U.S. companies: Alcoa, U.S. Steel, Westinghouse, Solar World AG, Allegheny Technologies Inc., and the United Steel Workers. The indictment brings 31 counts in total, including conspiring to commit computer fraud, accessing a computer without authorization for the purpose of commercial advantage and private financial gain, damaging computers through the transmission of code and commands, aggravated identity theft, economic espionage, and theft of trade secrets.</p><p>The charges brought by the Justice Department are historic, but in some ways not surprising, as the White House has been ramping up efforts to combat cyber espionage over the past two years. The 2013 National Intelligence Estimate revealed that China and Russia were the most aggressive nation-states going after U.S. intellectual property and other sensitive information via cyber espionage. “Russia and China remain the most capable and persistent intelligence threats and are aggressive practitioners of economic espionage against the United States,” the report stated. “Countering such foreign intelligence threats is a top priority for the Intelligence Community for the year ahead.” </p><p>Tiao explains that there have been many criminal cases involving Chinese nationals and trade theft. The Computer Crimes and Intellectual Property Section (CCIPS) of the Justice Department investigates and prosecutes cybercrime cases, but these usually do not involve nation-state hackers. “They’re private actors; they’re individuals either acting for themselves or for criminal organizations or for hacker organizations, and they read like these indictments do,” he says.</p><p>The companies that were targeted are large, but Tiao, who formerly served as a federal prosecutor in the cyberspace unit, says he handled cases on much smaller scales, and believes the U.S. government wants to protect organizations of all sizes. “I’m hoping that the public doesn’t think that that U.S. government only goes after the biggest hackers,” he notes. </p><p>The Justice Department made its intentions clear in its official announcement of the charges, stating that it intends to prosecute any cybercrime against U.S. critical infrastructure. “With our unique criminal and national security authorities, we will continue to use all legal tools at our disposal to counter cyber espionage from all sources,” FBI Director James Comey said in a joint statement with Attorney General Eric Holder and other U.S. officials. </p><p>Critical infrastructure. Experts say the companies targeted by the Chinese hackers are noteworthy because each business is considered to be critical infrastructure. “This is about as opposite as you can get from the Target and Neiman Marcus and retail store hackings,” says Craig Newman, managing partner at Richards Kibbe & Orbe LLP. “This is more aimed, clearly, at sabotaging U.S. companies and undermining competition in a free-market system. These [attacks] were meant to go to the heart of competition and create an unlevel playing field when it comes to commercial transactions.” </p><p>That undermining of the competition is apparent, for example, in the SolarWorld AG case outlined in the indictment. The Oregon-based company was “rapidly losing its market share to Chinese competitors that were systematically pricing exports well below production costs; at or around the same time, members of the conspiracy stole cost and pricing information from the Oregon producer,” the indictment states. </p><p>In the Westinghouse case, the Pennsylvania nuclear power company was negotiating the construction of four power plants in China when hackers stole data. The information included “proprietary and confidential technical and design specifications for pipes, pipe supports, and pipe routing for those nuclear power plants that would enable any competitor looking to build a similar plant to save on research and development costs in the development of such designs.” </p><p>In both instances, the Justice Department says national security, not just competitive advantage, is a concern because hackers stole “sensitive, internal communications that would provide a competitor, or adversary in litigation, with insight into the strategy and vulnerabilities of the American entity.”</p><p>Newman points out that there are critical Chinese-U.S. business relationships that drive the economies of both nations, making the diplomatic consequences of the case a significant factor. “The United States and China will probably do their best to minimize the commercial consequences, but at the same time the U.S. government is making clear that it’s not going to stand for this sort of widespread hacking, especially against companies that are so important to America’s critical infrastructure,” he notes.  </p><p>Sponsorship. According to Lance James, head of cyber intelligence at Deloitte, nation-state threat actors don’t necessarily have a modus operandi, so businesses across all verticals should be vigilant about protecting against potential attacks. “In some cases, such as APT1, the motive is to seize intellectual property for financial gain, though unlike other forms of financial crime, the financial interest is presumably tied to overall global economic standing and trade deficits,” he notes. </p><p>In other cases, the nation-state actors could be operating under an ideological agenda, or trying to launch “kinetic warfare” with denial of service attacks or other tactics designed to shut down infrastructure. </p><p>Gallante echoes this sentiment, noting that the nation-state actors often want to find out how to build the program that made the plane–not just obtain the blueprints for the plane. “It’s the broader understanding, the business know-how that makes U.S. and global businesses so much more competitive” that the hackers are after, she explains. </p><p>As the APT1 report demonstrates, the 141 companies hacked by the Chinese group represent 20 different industry verticals, but Gallante adds that “there are certain sectors…aerospace, manufacturing, pharmaceuticals, clean energy, energy in general, high-tech, that have a broad targeting profile” that attract the Chinese hacking groups. </p><p>Network Defense</p><p>In the case of the six U.S. companies that were breached, experts agree it is unlikely the suspects will ever see the inside of a U.S. courtroom. But the indictment should serve as a wake-up call for companies wanting to protect their intellectual property and other assets. “A lot of folks don’t think they’re the target,” says Iverson of Tangible Security. “This indictment…helps to manage the denial that’s out there, and instills a sense of vigilance that is absolutely needed,” he explains, adding that U.S. companies should not look at this case as an indication that the U.S. government is going to solve all their cybersecurity issues for them.  </p><p>Still, the message sent by the U.S. government that it intends to help businesses with cases involving cyber theft is an effective one, says Tiao. “I think it does send a strong message and it does create some level of deterrence, even if those people are never actually brought into court.” </p><p>Iverson says that employing reliable security architecture is the basis of a sound security program, from the basics, like firewalls and signature-based detection, up to more advanced offerings, like sandboxing, vulnerability scanning, and penetration testing. With penetration testing, skilled network professionals are hired to essentially breach an enterprise’s defenses to find out where the holes exist. “Face them in the practice yard, rather than in the battlefield, where the Chinese make real theft and deliver real harm,” says Iverson. </p><p>James says starting with the basics is key. “Know your environment, your network, and what assets you need to protect,” he says. “What secrets need to be protected, and where are they? How are they used, and are they stored securely?” </p><p>He says that once an organization has established those answers, risk management controls can be applied. For example, companies can physically segment network servers and apply stricter controls on e-mails and virtual private networks.  </p><p>Education. Gallante notes that user education cannot be overstressed for potentially protecting an organization against a full-scale attack. An attacker can gain a foothold in the network by infiltrating the account of a single employee. </p><p>The recent charges by the Justice Department reveal just how successful this technique can be–several attacks outlined in the indictment began with spear phishing e-mails. Such messages are disguised to appear as if they come from a legitimate source, and trick the recipient into clicking on a URL or downloading a document that contains malicious content. </p><p>In one case outlined in the indictment, 20 employees of U.S. Steel received spear phishing e-mails from one of the attackers, who disguised himself as the company’s chief executive. In another case, the hacker purportedly “attached a file disguised as an agenda for Alcoa’s annual shareholders meeting, which, once opened, would install malware on the recipients’ computers.”</p><p>Once the malware is downloaded to the user’s machine, the hackers have an entryway into the network. They can then move through the rest of the company’s infrastructure and do damage, often remaining undetected for long periods of time.  </p><p>Gallante says a particularly successful phishing e-mail for attackers is one in which the hackers purport to be the organization’s IT department and prompt the recipient to change his or her password in fields contained within the message. She says this type of e-mail has tricked employees at all levels of organizations, from the CEO down. </p><p>“Over 90 percent of the compromises that we see start with a phishing e-mail,” Gallante adds. </p><p>Companies should be vigilant about training their employees to be on their guard against such e-mails and always think twice before clicking on any links or downloading attachments coming from a source that’s possibly unknown.  </p><p>Information sharing. Any amount of intelligence provided by an organization that’s suffered a breach can be useful in preventing future attacks by the same entity with the same toolkit, says James. “It is critical that information-sharing exists. We run up against the challenge of over-classification when it comes to ‘national security’ issues, and this can hinder the sharing flow,” he notes.</p><p>James says focusing on remediation and minimizing impact when actors have infiltrated one’s network is important, but taking that extra step to share threat intelligence is helpful to other organizations.  </p><p>But when it comes to combating cyber incidents, industry operators involved in threat intelligence “have a responsibility to respect the limits of our reach when it comes to nation-state activities,” James says. </p><p>James further notes that getting law enforcement involved immediately is crucial when it comes to state-sponsored activity, and may even help prevent future escalation internationally between nations. “It is not always wise to expose such actors publicly without this coordination,” he says.</p> GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/quiet-threat-fighting-industrial-espionage-america-0010213.aspxThe Quiet Threat: Fighting Industrial Espionage in America<p><span style="color:#ff0000;"><strong><em>****</em></strong></span><strong><em>* The Quiet Threat: Fighting Industrial Espionage in America, 2nd Edition. By Ronald L. Mendell. Charles C. Thomas Publishers, <a title="www.ccthomas.com;">www.ccthomas.com;</a> 272 pages; $43.95.</em></strong></p><p>As this book explains, colleges are adding intelligence courses to business and security curricula at an increasing rate. They are needed because as companies outsource technology, they open avenues for the criminal element or the competition to intercept information. This second edition updates its treatment of the topic with additions on tradecraft of the industrial spy and data mining of business information.</p><p>Ronald Mendell explains governmental spying and how it differs from industrial espionage, with the latter being the primary focus of this work. He also discusses how espionage has in large part evolved from high-tech gadgetry of the Cold War to business-on-business cyberespionage and social engineering. He completes the explanation with a discussion of the espionage process and the players involved, who can include university researchers, suppliers, contractors, and others connected to the finished product.</p><p>Each chapter explains a particular aspect of espionage. A historical component is included to further define its relevance and how it has morphed into what it is today. He discusses what one would seek, for example, by visiting an Ironworks in 1861 versus what one would seek at a ma­jor defense contractor in 1993 and how the information would be accumulated and used.</p><p>Mendell explains that an adversary is as likely to show up on a shop floor during a tour as to attack through cyberspace. He does a good job of defining intellectual property versus a trade secret, and he notes that how they are defined in court is often a matter of how they are protected. He emphasizes that security awareness is important regardless of company politics or position.</p><p>This work was informative and engaging in its presentation, aided by graphs, references, and suggestions for further reading. It would be useful as an upper level university text, certification requirement, or general knowledge reference for a security practitioner.</p><hr /> <span style="color:#800000;"><strong>Reviewer:</strong></span> William Eardley, IV, has 26 years of experience in security and corrections. He is a member of ASIS International.GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Banks-Balk-on-Bud.aspxBanks Balk on Bud<p>​When seasoned security manager and longtime ASIS International member Brian Gouin started working as a consultant and virtual security manager for a medical marijuana production facility in Maryland, he certainly had some questions about the security challenges that the new gig might pose.  </p><p>Would external theft be a problem?  He had no experience in this sector, and dark visions of criminal cartels stormtrooping the facility to steal product occasionally crossed his mind. Luckily, that never happened.</p><p>"External theft has really not been a big problem. Surprisingly, there has not been a lot of that," says Gouin, who has spent nearly 30 years in the security industry and is currently owner of Strategic Design Services, a firm specializing in security design and project management services.</p><p>Still, the marijuana production facility did employ armed guards, because it held product that was worth at least $5 million. "That's more dollar value than 99 percent of banks in the state," Gouin explains. And since marijuana is so easy to sell, that product can be considered almost the equivalent of cash, he adds.   </p><p>But unlike external theft, internal theft was a problem. Employees sometimes helped themselves to a bit of product "to go" when leaving the facility for the day. Finding ways to screen workers on the way out was difficult. Complicating this matter is that keeping track of the on-hand marijuana supply can be a complex task. "You can't inventory it the way you inventory other products. You have to dry the plant; when you dry the plant, it loses weight," Gouin explains.  </p><p>And working with certain company employees was an unusual experience, even for a veteran security consultant well-accustomed to adjusting to different types of office cultures.  "It's so unique because of the type of person working there. Most of these people five years ago were running from the cops and making this stuff in their basement," Gouin says. "They are naturally distrusting of security."  </p><p>Overall, many of the facility's biggest security challenges stemmed from the fact that it is a nearly all-cash business. The ramifications of this are many. For instance, cash at a thriving marijuana business can accumulate quickly; but when it comes time to deposit the money earned, banks generally do not want to accept huge currency bundles, which can result in scrutiny from federal regulators, Gouin explains.</p><p>Given this, many marijuana businesses are forced to keep significant cash on hand. Some outgoing expenses, like compensation for day workers and certain bills, can be paid in cash, Gouin explains. Much of the rest can be deposited in smaller amounts that are spread out, so the bank will accept them. Of course, transiting large amounts of cash can also be risky, so the operation bought and used an armored vehicle, described by Gouin as "a small vanny-type thing."</p><p>Still, in one way the business that Gouin works for is lucky—it found a local bank that will take its money.  </p><p>Because U.S. federal law still includes marijuana on its Schedule I list of illegal substances, no large "tier one" bank will do business with cannabis companies now, says Joshua Laterman, CEO and founder, National Association of Cannabis Businesses (NACB). This is the "black letter of the law" that means that banks can be charged with crimes like money laundering if funds they have accepted from cannabis companies are mixed with other funds and enter the U.S. federal wire deposit system. This could lead to a federal indictment. </p><p>"No tier one bank enters the sector unless the law changes or some type of [exception] is put into place, like a safe harbor," Laterman says. "There is no cure, full stop."</p><p>This is a significant problem, given the growth and revenue-generating power of the cannabis industry. Going into 2018, nine states and Washington, D.C., had legalized marijuana outright; for medical purposes, marijuana is legal in 29 states and D.C. This year, at least 12 states are poised to consider marijuana legalization; Vermont already did so in January. On the whole, the industry generated $7 billion in revenue in the last 12 months, and this figure is expected to rise to $10 billion this year, according to NACB.</p><p>Given this revenue generation, some local banks (like the one working with Gouin's facility) and credit unions have tried to step in and fill in the vacuum. "It's the only show in town right now," Laterman says. These local banks often charge an extra compliance fee, and they usually just provide an account and some checks, without offering more involved services like credit cards. On the whole, these banks believe that the potential reward is worth the potential risk, and that working with local business is "in service of their mission." </p><p>"It's all very hyper-local," Laterman says. "They do it in a very personal way."</p><p>Nonetheless, these local banks usually cap the amount of deposited funds at $250,000, the limit that the Federal Deposit Insurance Corporation (FDIC) will insure. All things considered, there are not nearly enough of these smaller banks willing to accommodate all the revenue. "It's like trying to handle a two-liter soda with a Dixie cup," Laterman says.  </p><p>Across the northern border, no such problem exists. Canada has legalized marijuana for medicinal purposes throughout the country, and banks and other financial institutions have no problem working in the industry. "You're seeing investment banks, you're seeing accounting firms, and you're seeing law firms who will not do any transactions in the United States, but they are doing a lot in Canada," Laterman explains.</p><p>However, back in the United States, it is possible that there will be some movement on the legal issue in the near future. Some analysts have said that if more states continue to legalize marijuana, it will simply not be tenable for the country to have two sets of applicable law. Congress will have to act and change the banking laws to allow for an exception, so that a licensed marijuana distributor can use the banking system.</p><p>Moreover, what may help drive an effort for a solution is the U.S. government's realization that an industry generating billions in revenue without a banking and finance structure to support it could turn into a security nightmare. </p><p>"The money needs a place to be put, and there's not enough places to put it in. That's a growing public safety risk," Laterman says. California, he adds, holds some promise as a potential solution driver. As part of that state's legalization effort, officials set up a high-powered working group to address the legal issues. "It's a great effort; they are getting great people around the table," Laterman says.</p><p>He adds that NACB, which describes itself as the only self-regulatory organization (SRO) in U.S. cannabis, will continue its work of professionalizing the industry with credentialing, licensing, education, and other such programs. "We need to address the trust and information gaps, and better understand who the players are," Laterman explains. </p><p>Meanwhile, security managers who are curious about what it is like to work in the U.S. cannabis industry may want to check out The Marijuana Project, a novel published by Gouin (under the pen name Brian Laslow) that was in part inspired by his experiences in the industry. </p><p>In the book, security expert Sam Burnett, a conservative family man who runs a security program at a medical marijuana production facility, wrestles with the moral issues of working with the drug while he navigates the dangerous plot twists and turns that the thriller storyline takes him through. Although the book is fiction, the various industry issues and scenarios that the main character, a security expert, is involved with may be of educational value.</p><p>As for the real-life Gouin, who initially wondered if working in the cannabis sector would tarnish his professional reputation, he now says his experience was a positive one for his business: "It gave me another niche." And so his advice for fellow security managers who are interested in following his lead is "go for it"—as long as they do their due diligence beforehand.</p><p>"You have to understand the quirks of the industry," he says. ​</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465