Skip to content

The Emerging Threat of “CybeRevenge”

2015 March 22
by Jason Nairn, CPP, CISSP

Imagine…

You represent a large utility company, and your power plant discharges waste cooling water into local waterways.  An environmental group reports that your discharge water is contaminated, despite the fact that your testing shows it is within permitted parameters.  Local media picks up the story of reported contamination, and it is subsequently picked up by national media as a result of recent similar stories in West Virginia and elsewhere.  Officials with the state environmental department review your tests and test the water and sediment, finding no evidence of contamination.  They issue a press release stating that there is no evidence of contamination or inappropriate management of facility discharge, but this gets far less attention from the press.

A week after the negative press, a malicious computer virus infects your company’s networks.  A Stuxnet derivative, the virus impacts your SCADA network, causing equipment failures and ultimately customer outages.  The company estimates the damages at over $5 Million.  A cyber hacktivist organization takes responsibility for the cyber attack, stating that the attack is in response to your company’s ” corporate greed and disregard for the environment”.

Now imagine this…

Your local police department experiences an officer-involved shooting.  An ethnic minority member of your community is shot by a police officer in an altercation.  As the investigation into the incident gets underway, your City is hit with a cyber attack that disables the web servers for all city government departments.  City residents are unable to access government services, and city business is seriously restricted.  City and county police and fire agencies are impacted and officers put at increased risk, 911 operations are impacted and thus residents are put at greater risk, and the costs are significant.

A cyber hacktivist organization takes responsibility for the attack, citing the shooting death “at the hands of the police”.

Both of these scenarios are examples of “Cyberevenge” attacks, where hackers target public or private agencies for perceived damage to interests that they purport to represent or support.  These punitive, extra-judicial attacks are not new, but they seem to be happening with greater frequency and with less concern for due process.  The latter of these two scenarios happened last week.

According to Cyber Threats: Defining Terms (2009), hacktivists’ primary tools have traditionally consisted of “website defacements and denial of service” attacks.  However, as internet-based hacktivist organizations become more coordinated and more advanced, the threat of more damaging attacks is likely.

Security professionals, now more than ever, need to be aware of their vulnerability to cyber attacks that result from negative press or unpopular announcements.  Both public and private organizations are vulnerable, and the continued trend toward greater risk to infrastructure systems from cyber attacks means that public officials and critical infrastructure owners and operators should expect damaging cyberevenge attacks following media coverage of controversial issues, or negative press.

Franklin D. Kramer, Stuart H Starr, and Larry Wentz, eds.  “Cyber Threats: Defining Terms.” Cyberpower and National Security (2009).

 

Who Cares If We Call It “Terrorism”?

2015 January 5
by Jason Nairn, CPP, CISSP

I recently wrote a post about the definition of terrorism, the public’s perceptions about terrorism, and the importance of the use of the word to the work of homeland security professionals.  The conversation about this topic has continued on the blog Homeland Security Watch, as well as in professional circles.

There are differences among professionals within the homeland security enterprise about whether the word “terrorism” should be a applied to events such as the Canadian Parliament attack and the Sydney Cafe Hostage Incident.  A recent conversation that took place via email between homeland security educators provides insight into the terrorism terminology tussle.  The emails are a continuation of a discussion prompted by a colleague who shared analysis by Scott Stewart of Stratfor Global Intelligence entitled “The Sydney Hostage Incident was a Classic Case of Grassroots Terrorism”.  (Stratfor is a subscription service and I could not therefore attach the article.  However, you may be able to get the article free here by providing an email address.)

A key phrase in Stewart’s analysis addresses the issue.  Stewart writes:

Despite Monis’ reported mental instability, the sequence of events in this incident clearly demonstrate that he was acting in a planned, logical manner designed to accomplish his goals — however delusional those goals may have been.

Thus Stewart makes the case that this attack, and others like it, are terrorism.  But some do not agree.  Here is the email conversation:

Clinical Psychologist and Homeland Security Educator [responding to the article]:

Hmm – Hoffman would say it’s terrorism if there is a political purpose behind the attacks – that would be necessary, but is it sufficient that the perpetrator’s message is political? But (and I’ll confess to skimming this) I didn’t see where the cafe or the patrons were emblematic of some political regime? Shouldn’t the target also serve as a symbol?

For example, the Pakistan school shooting by Taliban – the school is a military sponsored/funded school that the Taliban perceived as a training ground for future military personnel (though Pakistani’s argue there were lots of civilians’ children in attendance and is not a military prep school). The school is a symbol of the military, government and political regime the Taliban wants to change/eliminate. The King David Hotel, the Edward R. Murrah building, etc – all symbols, as well as civilian/noncombatant locales.

This dude sounds like a garden variety criminal. Self appointed cleric, currently charged with murder of a loved-one (though killing your ex wife is probably not a symbol of great love). So he slapped a pseudo-political label onto his act and was active in social media with other extremist groups…I just don’t buy it. My clinical opinion? Lone Nut.

Related: this is the problem with having no agreed-upon, operational definition of terrorism.

Homeland Security Educator 2:

I think the interesting question in both this instance and the Canadian Parliament attack is, as both incidents were perpetrated by individuals of questionable mental stability, does mental status matter?  Couldn’t it be said that anyone that is willing to put explosives on themselves (in their underwear even!) is likely not in perfect mental health, i.e. a lone nut as the article describes.  I think there is a danger in calling these politically-motivated, pre-planned attacks something other than terrorism, because it reduces the importance of the homeland security element involved in preventing / responding to these attacks.  The HLS element provides the vehicle for collaboration among agencies, countries, etc, and additional resources.  Crimes by lone nuts are addressed by local resources, and if we rely on local resources to do everything, we will be back where we were prior to 9/11, where some agencies had information, nothing was shared with the local agencies that ultimately had to respond, and no one was putting the pieces together.

Why does it matter?  Who cares if we call it “terrorism” or not?

It matters because the use of the word terrorism is important to the funding and resource support for anti-terrorism efforts in the US and abroad.  The recognition of the threat of ongoing terrorist attacks is important for the political framework that surrounds international homeland security (or domestic security, or civil protection, or whatever) efforts.  The correct description of these events as terrorism reminds us, the public-at-large and our policy-makers, of the importance of the collaborative framework of homeland security, and its essential role in preventing, responding to and recovering from these types of attacks.

 

Five Tips for Hiring and Maintaining Quality Security Guards

2014 December 13
by Jason Nairn, CPP, CISSP

In the past few days a report about security guard industry by CNN and the Center for Investigative Reporting has been making the rounds among security professionals.  The report does not paint the industry in a good light.  The theme is lax regulation, which is a real issue in some states.  But based on what I’ve read, I don’t believe that they bothered to interview very many reputable firms.  Nor did they dig very deep into the regulations in at least some of the states they surveyed.  Michigan, which was listed as having no regulation at all, actually has some fairly robust regulations on the books for private security.

As someone who has managed multi million-dollar armed and unarmed security contracts, I’ve seen and addressed plenty of quality issues with both guards and managers in security companies.  Given that the CNN/CIR report didn’t provide much in the way of helpful advice, I thought it a good opportunity to share a few tips that those in responsible charge of security might apply to retain resilience forces that are up to scratch.

Here are five tips for hiring and maintaining quality security guards, whether armed or unarmed:

  1. Pay Up – In most service industries, you get what you pay for, and security guard services are no different.  You must be willing to pay up for quality.  I have heard some security managers say “I will hire solid, new, less expensive people and train them well”.  Sure go ahead, and when you get them trained well they will be transferred away from your contract to the other client that will pay them what they are worth.  Be that guy, and pay for quality up front – then you’ll get the good stuff and you’ll save on the training costs.
  2. Contract, Contract, Contract – The quality of your contract is directly proportional to the quality of the guard service you will receive.  Even if you live in one of those “unregulated” states, incorporating plenty of training, refreshers and requirements into your contract just makes sense.  The good companies are doing it already – so you’ll weed out the small fish quicker.  The contract becomes your primary tool for quality if you are a government agency working toward hiring a “lowest qualified bidder”.  Beware – a contract light on requirements like post orders and training could literally be a matter of life and death.
  3. Join a Trade Group or Network in the Security Guard Field – One sure fire way to get the skinny on who is good and who is not is to join a group in the industry.  Most states have groups, like ASIS, that meet to discuss trends in the security guard industry.  Some lobby legislatures or provide information to the public about the industry.  Others’ like ASIS, certify professionals in the field.  Join a group to find out who the best firms are and stay active to be up on the latest information.
  4. Find the Insurer – Security guard companies have to get insurance just like any other business.  If you can find the company that insures the guard companies in your area, you might just find a source of great information about which companies are the best.  Sometimes these insurers are members of the trade groups.  Ask them questions.  If it’s legal and ethical, they’ll tell you what they can because they are interested in quality as well – better quality = fewer claims.
  5. Get Out and Observe Your Forces in Action – It’s tough for executives to get out to the posts where the guards are on duty, but it is essential.  At site inspections I always found something that could be improved.  Sometimes it was just a simple issue like guard comfort, other times it was a dangerous safety issue.  Check on the guards often with supervisors in-tow to make adjustments when appropriate.  DON’T order your guards around at their posts – it is demeaning and amateurish.  Use the contractual chain of command.  Get to know your site supervisors and build that trust relationship.  You will need them when something goes wrong – and it will.

 

Ottawa Attacks Reveal Public’s Confusion About Terrorism

2014 December 1
by Jason Nairn, CPP, CISSP

The US media and news-consuming public are known for their short attention spans when it comes to domestic events.  A novel major story quickly refocuses attention, often leaving important issues without context or follow-on reporting.  This phenomenon, one that I like to call “Issue Attention Deficit Disorder (IADD)”, is exacerbated when the event in question is not domestic.  Major issues in Africa, Asia and Europe are simply underreported in the US media, and though they often do not, major events in Canada should merit our attention.  Ottawa is only a 9-hour drive (471 miles or 911 kilometers) from Washington DC, the rough equivalent of driving from Detroit, MI, to Marquette, MI (455 miles), or from Nashville, TN to Chicago, IL (471 Miles).

Canadian media coverage of the recent attacks in Ottawa involving the gunman Michael Zehaf-Bibeau has revealed a glimpse of the Canadian public’s attitudes about terrorism.  Two stories that ran recently in the National Post provide some valuable lessons for followers of homeland security trends.  First, according to a poll conducted in Canada of over 1500 citizens, only 36% of those that responded would characterize the attack on Parliament as terrorism.  Second, in a propaganda magazine ISIS took credit for inspiring both the attack on Parliament and an earlier attack on a Canadian Warrant Officer by another individual said to be a “jihadist”.

Homeland security professionals have been heard to lament the “‘nothing happens until something moves’ effect” of support for homeland security.  The idea is that only after a disaster or major event, like a terrorist attack, is attention refocused on the support of homeland security goals and objectives.  Based on this report, even serious attacks may not drive the public’s support of security priorities.  If an attack on the seat of government does not qualify as terrorism in the eyes of the public, but qualifies as supporting the mission in the eyes of the terrorist group, then something is awry.  Even if our neighbors don’t use the phrase “homeland security” as we do, a fundamental issue remains.  Getting the word out about what terrorism is, what homeland or domestic security is, and how to support resilience in our communities and institutions should be a focus that we maintain beyond the next headline.

Concordia University – Portland Opens New State-of-the-Art Homeland Security Simulator

2014 November 23
by Jason Nairn, CPP, CISSP

Concordia University – Portland has opened a state-of-the-art simulator designed to educate, train and exercise leaders and operators in critical thinking and ethical decision-making in realistic environments. The Concordia University Homeland Security Simulation Center includes an Immersion Theater in which on-site command staff is right in the action, and a separate Emergency Operations Center where leaders can operate in a simulated EOC environment. The facilities are housed at Concordia’s new Columbia River Campus which is conveniently located adjacent to the Portland Airport (PDX). The Homeland Security Simulation Center can be booked by public and private organizations interested in training, exercise and educational programs to support their missions. More information is available at www.cu-portland.edu/simulator.

The Center has gotten some publicity this week:

http://www.kptv.com/Clip/10879049/concordia-universitys-new-homeland-security-simulation-center

http://on.kgw.com/1zMZohU

 

The Principle of Ultimum Judicium

2014 August 21
by Jason Nairn, CPP, CISSP

In a series of posts, I am outlining three principles that I believe apply to working relationships in homeland security.  This is a thought experiment presented for discussion and review.  These principles are derived from my own experience as a homeland security practitioner and are presented to highlight issues within the homeland security enterprise that I believe are interesting for further study and discussion.

While future posts may flesh out the details and background associated with the Principles, they will be presented in brief initially.

The Principle of Ultimum Judicium

The Principle of Ultimum Judicium states that the goal of all security activities is the preservation of justice, and that ultimately, only an empowered government apparatus can exercise ultimate justice in a societal context.

The definition of justice includes “the principle or ideal of just dealing or right action”.  Security’s ultimate goal is to deploy resources and deliver services that ensure that stakeholders in a given realm (campus, company, community) live, work and operate within an environment that is just.  A just environment in which to live and work enhances the quality of life and business, and therefore benefits the realm collectively as well as other realms with which it associates.

Fairness and justice can take a variety of forms.  A common form is criminal prosecution.  Yet criminal prosecution is not the ONLY form of “justice” considered by security professionals for violators of collective security.  Some organizations or corporations choose to deliver justice internally, via organizational administrative tools that may include termination or sanctions.

These sanctions do not, generally, result in the delivery of justice for the violator beyond the bounds of the corporation, and thus have a limited societal impact.  Ultimate justice is, in this context, the unique responsibility of an uncorrupted system of judicial prosecution, where an individual is presented before his peers in society and judged based on the unique circumstances of his actions.  The resulting penalties have a lasting impact on both society and the individual.  The principle dictates that ultimate justice is the role of the uncorrupted governmental justice system and its agencies.

Thomas Paine wrote that security is the “true design and end of government”.* As such, an uncorrupted government must have a role in the delivery of justice resulting from security operations.  Anything else, including institutional penalty, is administrative sanction, but is not ultimately justice and does not have a societal impact.

An interesting area of future study is the consideration of the definitions of “government” and “uncorrupted”…  Are groups that form governing bodies, like ISIL for example, governments?  What would be the impact of “legitimacy” in this context?  How does one define “justice”, using universal humanistic descriptors or societal norms? 

* – Paine, Thomas (1986) [1776], Kramnick, Isaac, ed., Common Sense, New York: Penguin Classics

 

The Principle of the Marketization of Security

2014 July 11
by Jason Nairn, CPP, CISSP

In a series of posts, I am outlining three principles that I believe apply to working relationships in homeland security.  This is a thought experiment presented for discussion and review.  These principles are derived from my own experience as a homeland security practitioner and are presented to highlight issues within the homeland security enterprise that I believe are interesting for further study and discussion.

While future posts may flesh out the details and background associated with the Principles, they will be presented in brief initially.

The Principle of the Marketization of Security.

The Principle of Marketization of Security states that the changing role of security in the modern, networked society will require increased privatization of security services by virtue of the economic forces of the marketplace.

Essentially, security threats affect each individual in society in a much more direct way than prior to the digital age.  Cyber attacks, for example, target the identity and assets of individuals, compromising the security of families directly.  The increased prevalence of risk in the lives of individual citizens means that the responsibility for securing those citizens must be spread to more security professionals.  Privatization, by definition, gives ownership to more individuals in the population and also creates economic incentives for more efficient service (Filopovic, 2005).

As a result of these forces, governments will be unable to compete with the efficiency of the private sector in many (not all) areas of security, as the goals of government are generally political and less economic (Poole, 1996).  This principle dictates that more and more security-related services that are currently provided by government agencies will be privatized in the future.  In the absence of an understanding of these forces, the transition could stress relationships that are essential to the security of the homeland.

 

Poole, Robert W. “Privatization for Economic Development.” The Privatization Process. Ed. Terry L. Anderson and Peter J. Hill. United States of America: Rowman & Littlefield Publishers, Inc., 1996. 1-18.

Filopovich, Adnan. “Impact of Privatization on Economic Growth.” Issues in Political Economy, Vol 14, August 2005. 1-6.

The Principle of Collaborative Distinction

2014 July 10
by Jason Nairn, CPP, CISSP

In a series of posts, I am outlining three principles that I believe apply to working relationships in homeland security.  This is a thought experiment presented for discussion and review.  These principles are derived from my own experience as a homeland security practitioner and are presented to highlight issues within the homeland security enterprise that I believe are interesting for further study and discussion.

While future posts may flesh out the details and background associated with the Principles, they will be presented in brief initially.

The Principle of Collaborative Distinction.

The Principle of Collaborative Distinction states that there are a number of individual disciplines within homeland security, each of which is essential to the proper functioning of a networked homeland security system.  Because of the broadness and complexity of homeland security, these disciplines can be seen as competing, as in for resources or authority, or as redundant, when in fact they are often complimentary.

As an example, it is proposed that Security Management and Criminal Justice are distinct disciplines of homeland security.  Each requires specialized knowledge and expertise and each values experience and trust.  In a collaborative relationship, professionals in these two disciplines can, symbiotically, develop effective solutions to key issues such as jurisdictional authority, security of privately-owned infrastructure, and resource limitations.

How can homeland security leaders encourage collaboration between disciplines that have similar capabilities but distinct roles?  The answer may lie somewhere in emphasizing the value of the individual disciplines which support the security of the homeland, including those in the private sector.

Security Management, Law Enforcement and the Future of Homeland Security

2014 June 23
by Jason Nairn, CPP, CISSP

As mentioned in a previous post, I have been in a transition from a position of operational responsibility to one where I have greater opportunity to reflect upon the key issues that form the homeland security professional’s working environment.  As both a practitioner and observer within the homeland security enterprise, I have had the opportunity to observe a variety of public and private sector security programs.  In many of these programs, there was a necessary relationship between law enforcement, and non-law enforcement security practitioners.

As a result of my observations on this subject, I have developed three principles, which I believe apply to the working relationships that are necessary to secure our nation’s future.  In a series of posts, I will be presenting these three principles.

This is a thought experiment presented for discussion and review.

The principles are derived from my own experience as a homeland security practitioner and are presented as a way to establish a foundation for interactions between law enforcement, and non-law enforcement security professionals.  The goal is to enhance the power and effectiveness of the most significant force within homeland security, interagency personal relationships.

 

Letter from the Editor: A New Direction in Homeland Security

2014 June 21
by Jason Nairn, CPP, CISSP

After almost 15 years in state government, I have decided to resign my employment at the State of Michigan and enter the academic world on a full time basis.  While I may reflect on this decision in future posts, I will only say here that I have gotten an enormous amount of satisfaction and pleasure from working as an instructor in Concordia University’s Homeland Security Program.  As such, I feel very fortunate that the university has made me a generous offer of a full time faculty position in which I can continue the fine work of teaching and pursue a terminal degree.

Additionally, I will have the great pleasure to direct the university’s new Homeland Security Simulation Lab!  The Sim Lab will provide a realistic training and exercising environment for homeland security professionals and lay persons in a variety of homeland security related disciplines.  The facilities and systems in which the university has invested will take the exercise to a new level that will render the standard tabletop obsolete.  I anticipate huge interest when the facility opens later this year.

I hope to write and post more here at the HLSR blog.  This past 6 months it has been difficult to find time to devote to blogging, as I have been teaching and finishing my work at the state. I look forward to developing this resource further as a service to my students, colleagues and to the wider audience that cares about homeland security as a field of study.

Very Respectfully,

JPN