Public Area Security National Framework

The Transportation Security Administration (TSA) recently released this report in cooperation with a variety of stakeholders which provides information and guidance on preparedness, prevention, and response activities to strengthen the public spaces of transportation venues.  While the focus of the document is on airports, the information in the document is great not only across all transportation venues, but other public spaces as well.  I think there are great takeaways for other areas of vulnerability, such as malls, convention centers, event spaces, and others.

To be honest, there is nothing particularly earthshattering in this document.  The document is brief and identifies a number of best practices across emergency management and homeland security which will help agencies and organizations prevent, protect, prepare, and respond to threats, particularly attacks.  That said, the document does accomplish providing concise information in one document on key activities that absolutely should be considered by entities which control public-access spaces.  I would also suggest that this document is still 100% relevant to those which have some access controls or entry screenings.

Information in the document is segmented into three key tenets: Information Sharing, Attack Prevention, and Infrastructure and Public Protection.  Within these tenets are found recommendations such as relationship building, communication strategies, vulnerability assessments, operations centers, planning, training, and exercises.  Most of the recommendations provide examples or leading best practices (although no links or sources of additional information, which is a bit disappointing).

The framework is worth a look and can probably serve as an early foundation of activity for those who haven’t yet done much to prepare their spaces for an attack.

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

Thinking Beyond the Active Shooter

While there is obviously a great deal of attention placed on preparing for, preventing, and responding to active shooter events, is that where the focus really needs to be?  Yes, active shooter incidents are devastating, but they aren’t taking into consideration the full potential of we might be facing.  The DHS definition of ‘active shooter’ actually allows room for additional potential, but the term is still misleading and indicates the presence of only one perpetrator.  (DHS definition: “Active shooter is an individual actively engaging in killing or attempting to kill people in a confined and populated area.”)

First, let’s consider that more than one person could be perpetrating the incident.  Second, let’s consider that the perpetrator/perpetrators might be using something other than or in addition to firearms.  This could include edged weapons, blunt weapons, improvised explosives, or other threats.  Third, let’s consider an increased complexity, including synchronized attacks conducted by one or more independent teams occurring at multiple locations sequentially or in close succession.

To address these potentials, we’ve heard the terms ‘Active Assailant’, which certainly addresses individual(s) using any form of weapon(s) in their attack methodology.  This can also address the more highly complex incident type, which is commonly referred to as a ‘Complex Coordinated Attack’ or ‘Complex Coordinated Terrorist Attack’.  In essence, we are talking about the same conceptual incident, with varying complexity.  But what’s the difference?

The difference is that we should be preparing for a credible worst-case scenario.  While a single shooter is more likely to occur in most places, we’ve seen incidents of knife attacks such as those in recent months in London and Japan.  We’ve also seen motor vehicle attacks in Berlin and NiceThe Columbine High School attack involved firearms, knives, and improvised explosive devices, although the latter weren’t successfully detonated.  For their own reasons, none of these seem to match up with the impression most have with the term ‘Active Shooter’.  ‘Active Assailant’ might be better a better term generally for these kinds of incidents.   More specifically, by current standards, Columbine would likely meet the definition of ‘Complex Coordinated Attack’.  A complex coordinated attack doesn’t necessarily require a high value target or an international terrorist group to perpetrate.

When a jurisdiction plans for a flood, they generally don’t prepare for a couple of road washouts that might occur with a hard rain storm.  They should be preparing for the sudden destructive power of flash floods and the slower but equally devastating potential of areal flooding.   If the jurisdiction is prepared for the credible worst-case scenario, their preparations should be able to address flooding of a lower magnitude.  I’d argue the same for the range of active assailant incidents.  Active shooter incidents are one specific type of active assailant incident, but are not what our preparedness activities should be focused on, as these kinds of incidents can be much more complex and devastating.  Preparedness efforts should, instead, focus on the complex coordinated attack, which is arguably the most multifaceted and impactful type of this incident.  Preparing for the credible worst-case scenario will help ensure our preparedness across the entire spectrum of this kind of incident.

As always, feedback is appreciated.

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

7 Emergency Management Priorities for the Next Administration

Heritage.org recently published a piece outlining the top four homeland security priorities for the next administration, which can be found here.  It’s a thought provoking article that certainly identifies some important issues.  In the same spirit, I’d like to offer what I think are the emergency management priorities for the next administration.

1) Support an Effective FEMA Organizational Model

The Heritage.org model pointed out several issues with the DHS organization that need to be addressed sooner rather than later.  I’d like to add some FEMA-specific items to their suggestions, regardless of if FEMA is kept within DHS or not (honestly, I think that ship has sailed and FEMA is there to stay).

In building a bit of background for this article, I took a look at FEMA’s current strategic plan, knowing that the document already identifies some of their priorities.  Within in that list of priorities, they mention mission and program delivery, becoming an expeditionary organization, posturing and building capability for catastrophic disasters, and strengthening their organizational foundation.  To me, these four all directly relate to their organizational model.

Along with having a strong central administration of programs, FEMA needs to have agility in their program delivery.  This is best accomplished through the FEMA regional offices, which act as an extension of the ‘central administration’ by coordinating directly with states and neighboring regions to apply those programs in the best possible manner within the guidelines of the program.  While this is currently performed, it is not performed to the greatest extent possible.  John Fass Morton provides some great perspective on this approach in his book ‘Next-Generation Homeland Security’.  Info on the book can be found here.

2) Bolster Risk Reduction Programs

I write often about preparedness, as that has always been a focus of my career.  Risk reduction, however, is essential to eliminating or reducing the impacts of hazards on communities.  Risk reduction includes all aspects of hazard mitigation and resilience, which are ideally applied at the local level but supported by state and federal programs, policies, and resources.

While the National Weather Service has implemented and promoted the StormReady program, which encourages community resilience, the best program we have ever had in our field is Project Impact.  I’d love to see a revival of Project Impact (call it that or something else – I don’t really care), incorporating the concepts of StormReady as well as other best practices in risk reduction.  A big part of this program MUST be incentivization, especially access to funds that can be applied for in the present for hazard mitigation activities.

3) Build a Better Cybersecurity Program

This item was added to the list by a colleague of mine.  It’s also found on the Heritage.org list.  It must be pretty important, then.

Yes, there are a LOT of initiatives right now involving cybersecurity, but I think there can be more.  Jon, the same colleague who suggested this for my list has also stated repeatedly that cybersecurity is really a Core Capability that cuts across all mission areas – Prevention, Protection, Response, Mitigation, and Recovery.  The recent update of the National Preparedness Goal suggests this, but sadly doesn’t commit.

What do we need in regard to cybersecurity?  First of all, we need to demystify it.  There are plenty of people out there who have just enough tech savvy to turn on their computer, send some email, and post to Facebook.  While that may work for them, they are likely intimidated by talk of cybersecurity, hackers, and the like.  We need to continue programs in plain speak that will help to inform the average consumer about how to protect themselves.

Better coordination with the private sector will pay off heavily when it comes to cybersecurity.  Not only is the private sector generally better at it, they also have a tendency to attract experts through better incentives than the government can offer, such as higher pay.  Cybersecurity also impacts everyone.  We’ve seen attacks of all types of systems.  The only way to stop a common enemy is to work together.  Let’s think of it as a virtual whole-community approach.

4) Prepare for Complex Coordinated Attack

Another of Jon’s suggestions.  While terrorism is often quickly shoved into the category of homeland security, there is a lot that emergency management can assist with.  These types of attacks (think Mumbai or Paris) have a significant impact on a community.  They require a multi-faceted approach to all mission areas – again, Prevention, Protection, Response, Mitigation, and Recovery.  While law enforcement is clearly a lead, they must be strongly supported by emergency management as part of a whole-community approach to be successful. Preparedness across all these mission areas must be defined and supported by federal programs.

5) Infrastructure Maintenance

We have roads, bridges, rail, pipes, and other infrastructure that MUST be maintained.  Maintenance (or replacement) will not only prevent failure of the infrastructure as a disaster itself, but will also make it more resilient to impacts from other disasters.  Yes, these are projects with huge price tags, but what alternative do we have?

6) Continuity of Existing Model Programs

There are few things more infuriating than a new administration wiping the slate clean of all predecessor programs to make room for their own.  While every administration is entitled to make their own mark, getting rid of what has been proven to work is not the way to do that.  Eliminating or replacing programs has a significant impact all the way down the line, from the federal program administrators, to the state program people, to the local emergency managers who are often understaffed and underfunded to begin with.

Changing gears is not as simple as using a different form tomorrow, it requires research and training on the new program and costs time to re-tool.  While I would never say there is nothing new under the emergency management sun, as I believe we are still innovating, I’m pretty skeptical of some new appointee walking into their job and making wholesale changes.  While improvements can certainly be made, summary execution of successful programs does no one any good.  Let’s not make change simply for the sake of change.

Related to this, I fully support the efforts of FEMA in the last few years to gain comprehensive input on changes to documents and doctrine through the formation of committees and public comment periods.  This approach works!

7) Pull Together Preparedness Programs

NIMS, HSEEP, NPG, THIRA, etc… While each of these programs have their own purpose and goals, more  can be done to bring them together.  I’m not suggesting a merger of programs – that would simply make a huge mess.  What I’m suggesting is to find the connections between the programs, where one leads to another or informs another, and highlight those.  Things like better application of the Core Capabilities within HSEEP exercises to have a more effective evaluation of NIMS capabilities (I suggested this while being interviewed for a GAO report), or referencing the THIRA when building a multi-year training and exercise plan.  While some jurisdictions may already do this, these are best practices that should be embraced, promoted, and indoctrinated.  These links typically don’t add work, in fact they capitalize on work already done, allowing one project/program/process to be informed or supported by another, creating efficiencies and supporting a synchronization of efforts and outcomes.

There is my list of seven.  What are your thoughts on the list?  There are certainly plenty of other ideas out there.  If you had the ear of the next President, what would you suggest be their administration’s emergency management priorities?

© 2016 – Timothy Riecker

Emergency Preparedness Solutions, LLCYour Partner in Preparedness