Tag homeland security

A book of worst-case scenarios

Tim Riecker, The Contrarian Emergency Manager 3 Comments

I came across this article yesterday about US Rep Michael McCaul from Texas (who happens to chair the House Homeland Security committee) penning a book titled “Failures of Imagination: The Deadliest Threats to Our Homeland — and How to Thwart Them”.  The book, set to be published in January, will apparently outline a variety of terrorist attack scenarios against the US and how they can be stopped.

I’ve written in the past about the necessity to consider credible worst-case scenarios (natural and human-caused) which can impact your jurisdiction or organization.  Following the model outlined by Comprehensive Preparedness Guide (CPG) 201 for the Threat and Hazard Identification and Risk Assessment (THIRA) process, it’s not just enough to say you are vulnerable to flood or wild fire.  To identify what your specific vulnerabilities are (location, duration, severity), it is necessary to flesh these out into scenarios.  Identification of these vulnerabilities will then help identify impacts, such as those to infrastructure, resources, and populations.  Plans should then be based upon these impacts.

I’m doubtful that Rep McCaul’s book will provide any foundation for planning (although I don’t think it’s intended to), however the scenarios contained may be eye opening to EMHS professionals and even citizens.  Regular readers of this blog know I feel that we are on borrowed time regarding terrorist attacks.  Yes we have experienced some on US soil (and the UK, Canada, Australia, France, India, and many other nations), and they have been devastating, but we have to know that with organizations such as ISIS thriving on our planet, more will come.  Mumbai-type scenarios, with multiple coordinated simultaneous attacks can be crippling and certainly demonstrate what a credible worst-case scenario could look like.

I’m interested to see what Rep McCaul’s book contains.  I’ll be sure to publish a review once it comes out and I’ve had an opportunity to read it.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ 

Adapting to the Cyber Threat – Who Holds Liability?

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Over the past year or so, even the past few months, we have seen a huge increase in high visibility hacks and cyber attacks.  Among the highest profile attacks are:

  • Target department stores suffered the theft of credit card holder data
  • the US government had a huge theft of information of government employees as well as theft of tax payer data from the IRS
  • and just recently the theft and subsequent public release of information of Ashley Madison account holders.

While cyber attacks and hacking didn’t just start occurring recently, our society, laws, and policies have yet to grow to truly keep up with prevention, mitigation, protection, response, and recovery from these incidents.  This is a familiar place we find ourselves in with other human-caused incidents such as mass shootings.  We have recently seen some insurance companies offering cybersecurity policies.  I’m not knowledgeable of the terms and conditions of these policies, but I’m hopeful policy holders are required to have cybersecurity policies and programs in place to help prevent and mitigate against the impacts of a cyber attack.  Presumably, the insurance  policy covers financial losses to the company and perhaps even litigation.  Consumers have a variety of protections available for identity theft offered through banks and credit cards.

With the recently announced class action lawsuit against Ashley Madison, I began thinking about where the real liability for a cyber attack lies.  Certainly those individuals whose personal information was stolen (moral issues aside) may suffer some measure of financial loss.  The same can be held true for those whose data was stolen from the Target and US government hacks.  Those individuals trusted and were generally assured that their personal and financial information would be protected.  These assurances place a liability on the entity that holds their information.  However, we tend to treat liability differently for disasters and acts of terrorism where entities, so long as they made reasonable and prudent efforts to avoid impacts, are held harmless; or in the event of a criminal act, we see liability shifted to the perpetrators of the criminal act.

I’m convinced that any system can eventually be hacked and suffer either data loss or data theft.  Unlike a natural disaster, intentional human-caused incidents include the factor of persistence.  Persistence is a unique element which requires constant and concerted efforts on the part of other humans to prevent, protect, and mitigate against criminal acts.  Given the law of averages and the constant need for cybersecurity experts to keep up with all tactics used by criminals, the good guys are bound to lose a battle once in a while.  While I don’t disagree that those who have their personal information stolen through no fault of their own may be deserving of financial compensation for their losses, I’m left wondering about the real liability of those entities who make reasonable and prudent efforts to protect that data.

Certainly the perpetrators, when found guilty, are at fault and hold the ultimate responsibility, but we have difficulty in identifying and persecuting these attackers.  Even if the perpetrators are found and convicted, is there still a shared liability among other parties?

Like climate change, we struggled for many years fighting the inevitable and thinking we could stop or reverse its effects.  We are finally shifting to a new philosophy of adaptation.  While we do what we can to slow the speed of climate change, many have accepted that climate change, and thus its impacts, are an inevitability.  This leads me to suggest that we need to take the same stance with all disasters, including those caused by humans.  Incidents will occur.  While we MUST do what we can to prevent, protect, and mitigate against them, we need to shift the thinking of society to response, recovery, and adaptation for when, inevitably, it does occur.

While I’m no attorney or expert in liability and litigation, it seems to be a fairly unexplored area in terms of cybersecurity.  I welcome your thoughts and ideas on this.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ

Are You Really Considering All Hazards?

Tim Riecker, The Contrarian Emergency Manager 1 Comment

Natural hazards, such as flooding, tornados, wildfire, and earthquakes, bring about the greatest losses, calculated in nearly every metric possible, as compared to human-caused incidents.  Human-caused incidents, either accidental or intentional, still bring tremendous impact to communities world-wide on a daily basis.  While working to prepare for, mitigate, respond to, and recover from natural hazards will always continue to be important, it seems that many still often forget about human-caused incidents despite all the conversations out there.

Human-caused incidents include a variety of hazards such as infrastructure failure, transportation accidents, hazardous materials incidents, and intentional attacks.  These are all things which we can fit into our traditional model of Prepare, Mitigate, Respond, and Recover.  The National Planning Goal introduced the model of the five Mission Areas – Prevention, Protection, Mitigation, Response, and Recovery – to help address our many of our major functions (Core Capabilities) for human-caused incidents (note that Preparedness is now a higher level concept that applies to all Mission Areas).  While this Mission Area model has helped bring these key activities into the greater fold of what we do, it has also kept them largely isolated through the thought that many human-caused incidents are only addressed through Prevention and Protection Mission Area activities.

Nowhere, it seems, do we see this more than in the area of hazard mitigation.  The vast majority of hazard mitigation plans which exist only address natural hazards (even at the state level).  Since many readers view this blog for my opinion, here it is – this is archaic and dangerous thinking!  We have all seen hazard mitigation plans which claim they are ‘all hazards’, yet only list natural hazards.  That’s fine, if by some unbelievable circumstance, your jurisdiction is only impacted by natural hazards.  This is a circumstance which I am highly doubtful of.  Some mitigation plans get a little more realistic and will address human-caused hazards such as dam failure and/or hazardous materials release, which were likely the greatest human-caused threats they may have been vulnerable to in the previous century.  In today’s world this still doesn’t quite get us to where we need to be.  There are a great many mitigation activities which we can leverage against human-caused incidents.

How do we fix this?  It’s easy – start with conducting a hazard analysis.  A hazard analysis, be it as a stand-alone activity or part of the THIRA process, should review all possible hazards which your jurisdiction, company, or organization is vulnerable to.  It should be comprehensive, not just limited to the set of natural hazards.  Along with infrastructure failure and hazardous materials incidents (both in-transit and fixed site), consider hazards such as active shooters, cyber attacks, improvised explosives, and civil unrest.  This may require bringing some additional subject matter experts into the room for your hazard analysis – like your IT director.  In a hazard analysis, each hazard is ranked (at a minimum) by its likelihood to occur and its severity of impact should it occur.

A well conducted hazard analysis provides the basis for everything we do in emergency management and homeland security.  It not only informs our activities such as planning, training, and exercises, it also helps assign priority to those hazards which require the greatest focus and allocation of resources.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ

We need to talk MORE about Emergency Management

Tim Riecker, The Contrarian Emergency Manager Leave a comment

My company is currently finishing a contract which involved almost two dozen site visits to local government entities (cities and towns) to meet with local officials (emergency management, police, fire, EMS, schools, elected officials, public works/highway, etc.) to discuss certain emergency management and homeland security needs they may have.  The topics we needed to address were set in conjunction with our client and the meeting times were capped at 4 hours.  Based on the discussion generated by those we met with, discussions took anywhere between an hour and a half to all four hours.  At the end of most of these meetings, many people who we met with thanked us for bringing them the opportunity to discuss emergency management with such depth.

At first I was a bit puzzled about this gratitude… the meeting was intended for us to gather information from them, so it was us who thanked them for their time and input.  Why would they thank us?  They could talk about this stuff any time they wanted to, right?  In theory, yes.  In practice, NO.

Looking back at the project in retrospect we saw the value in the opportunity we provided these local stakeholders.  Absent a recent disaster or a specific issue of concern, it’s a rare occasion that local leadership takes the time to convene and discuss emergency management and homeland security matters.  We, rather serendipitously, provided them with an opportunity to do talk about many facets of EM/HS, to share thoughts and ideas, and to identify needs.

In many local government meetings (town/village/city council, selectboard, etc.) the topic of emergency management (or anything related to it) is generally not on the agenda.  Some may have a formal briefing by department heads, which would include the fire department or police department (if they have one), but these are usually fairly general statements.  Because of the depth of discussion that can take place, I don’t even think that these monthly governance meetings are the right venue for most discussion.  I would suggest that jurisdictions have a separate meeting, at least quarterly, to discuss emergency management in depth, with all department heads, elected officials, and others present and participating.  Preparedness should be discussed across the spectrum of all mission areas.

Many of the jurisdictions we met with had seen tropical storm impacts within the last few years – and that was the last time, for many of them, that the impacts and lessons learned were discussed.  What of their corrective actions?  Aside from a few largely individual efforts, little progress had been made.  Stakeholders self identified this gap, some commenting directly about the necessity to meet more often.  Many brought up gaps that were identified after the tropical storm, or even more recently, which were never addressed.

Along with the success of our intended project, we hope that at least some of those jurisdictions were able to get energized and organized to revisit some of those past concerns and move forward to make some progress with preparedness and mitigation efforts.

What do you do in your jurisdiction to prompt more discussion about EM/HS?

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ

Cybersecurity, Encryption, and Backdoors… the debate rages on

Tim Riecker, The Contrarian Emergency Manager 1 Comment

If you aren’t up on the debate regarding data encryption, you should be.  It’s an interesting debate with strong positions on either side.

Eric Geller with The Daily Dot authored an interesting article last week on the subject.  It’s quite in depth and lengthy, but worth the time to read.

http://www.dailydot.com/politics/encryption-crypto-war-james-comey-fbi-privacy/

What are your thoughts on encryption?

– TR

Your Complete Guide to the 5 Cybersecurity Bills in Congress

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Yesterday Eric Geller, a writer for The Daily Dot, an online internet culture newspaper, posted Your complete guide to the 5 cybersecurity bills in Congress.  This is a great overview of each of the bills and what they entail.  These bills represent an important progression toward a better cybersecurity policy and implementation in the US.  A worthwhile read.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

www.epsllc.biz

Do You Have an Emergency Management Committee?

Tim Riecker, The Contrarian Emergency Manager 2 Comments

Comprehensive emergency and disaster management, effectively done, cannot be done by one person alone.  The best emergency management and homeland security practices are performed by teams.  The practices of emergency management and homeland security are so ubiquitous and multifaceted that we rely on the participation and input of persons in related professions, and in fact professions generally not seen as related, to be successful.  Because of this, both government entities and corporations alike often embrace a team approach to emergency management.  Do you?

Division of Responsibility – Unity of Effort

Aside from the chief elected official or chief executive officer, no one person has the direct ability to ‘command’ the forces of a jurisdiction or corporation.  The trouble with this is that these CEOs are generally not experts in disaster management.  Effective organizations learn the necessity of delegation early on which, while the CEO is still ultimately responsible, those delegated to are functionally responsible for their respective areas.  Laws and regulations often make these delegations mandatory for both jurisdictions and corporations.  While each of these delegations has their own functional responsibilities, they still operate as part of a greater organization and must work well together achieve maximum effectiveness.

The ability of these stakeholders to work together in a unity of effort is certainly important during a disaster, but it’s not the only time they should get together to talk about disasters.  Yes, many of these individuals will see each other during (hopefully) regular staff meetings, but these meetings typically involve briefing the CEO on current or upcoming activities, discussions on hiring and budgets, or being briefed on new policy.  While these are all important discussions they usually leave little room to discuss topics on emergency management and homeland security.

EM/HS certainly warrants its own meetings and workshops to accomplish important tasks such as a periodic threat and hazard identification, plan creation and updates, exercise planning meetings, and discussions on training, grants, and preparedness investments.  This group should also be making policy recommendations to the CEO and ensuring that preparedness efforts are permeating the entire jurisdiction or organization.  Their work together in preparedness efforts will strengthen their relationships and increase their knowledge of each other’s functional responsibilities and capabilities.

Who Should Participate?

In any of the mission areas of emergency management and homeland security (Prevention, Protection, Mitigation, Response, and Recovery – or in activities related to preparedness for any of these) there are often related or even overlapping interests amongst department heads.  The emergency manager, fire, police, EMS, and public works/highway are often at the forefront; but other departments and positions such as parks and recreation, clerk, human resources, finance/treasurer, and zoning can all (and should) have some degree of input.  Larger jurisdictions may have their own health and human services departments which are also important participants.  There are similar positions within corporate organizations that have the same interactions and hold the same importance in this regard to these organizations.  Also be sure to consider external partners such as utilities, major employers, and not for profits and social groups?  Perhaps your EMS provider is a third party or your law enforcement is provided for by a Sheriff’s Department or State Police – be sure to include them as well.

This ‘whole community’ list can grow very quickly and often times not all members are needed for the group to function effectively.  The best practice in emergency management committees is to take a tiered approach – with a core group addressing most matters but with the support and augmentation of an expanded group to include other departments and organizations whose participation is called upon when needed.

Emergency management and homeland security are team efforts which require the active participation and input of all stakeholders to be effective.  Don’t just rely on your emergency manager to get the job done.  They need support from the entire organization to ensure that your jurisdiction or corporation is prepared to address the worst, save lives, and minimize losses.  Some emergency managers view such committees as ‘oversight’ or an unnecessary bureaucracy, but success lies in collaboration.

What’s your approach?

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

www.epsllc.biz

Book Review – Next-Generation Homeland Security by John Fass Morton

Tim Riecker, The Contrarian Emergency Manager 3 Comments

I’m a firm believer that professionals need to keep current on trends and major discussions in their field of practice.  Homeland security and emergency management are no different, which is why I spend a great deal of time reading – books, blogs, newsletters, etc.

A book I finished in recent months was Next-Generation Homeland Security by John Fass Morton.  The book offers a great history of the roots of emergency management and homeland security, insights into the politics involved in the evolution of the two related fields, and thoughts on how preparedness agendas of the federal government and preparedness needs of local and state governments can be better merged moving forward.

Mr. Morton provides a highly detailed history of EM/HS – the most detail I’ve ever seen published anywhere.  This history doesn’t just cover new laws and changes in agency names, but also identifies key players and influencers, missteps, and practices along the way.  His detail of EM/HS over the past two decades is even greater as he has been able to obtain information and insights from his own experiences and those of his colleagues and contemporaries.  These details include all of our current programs such as NIMS, EMAC, and others – including many of the predecessors of those programs.  If you have interests in history or politics, much of the book will be very interesting to you simply based on this content.

Much of the book’s focus is on all-hazard preparedness, so you won’t find a great deal of information on DHS member agencies and their mission areas.  The book primarily follows the evolution of emergency management and its relationship with homeland security, while also providing some insight into the roots of homeland security which well predate 9/11.  Mr. Morton’s research certainly demonstrates how cyclic these evolutions have been.

Mr. Morton offers some interesting perspectives on our current state of preparedness and offers thoughts on organizational models which can enhance the coordination between the federal government and state and local authorities through strengthening of the FEMA/DHS regional offices, particularly the regional preparedness staff.  It’s apparent that there often conflicts between the federal government and state and local governments in regard to EM/HS priorities across all mission areas.  Mr. Morton’s perspectives offer a viable solution.

As I read I marked a lot of pages in the book for future reference, particularly in the second half (about 200 pages).  If you don’t have much interest in the histories Mr. Morton provides, as they are quite detailed, the second half of the book is where there will still be great value to you as this is where more contemporary practices, policies, and organizations are detailed as well as Mr. Morton’s thoughts on the further evolutions of our practice including the Federal regional approach and other topics such as professional development.  This is an excellent book for the dedicated practitioner who is looking for not only a detailed history but also thought provoking insight, not just a regurgitation of doctrine.  I believe it would also serve as an excellent book for graduate level academics, as it not only provides a great deal of information but can certainly stimulate quite a bit of discussion.  I hope to see some of Mr. Morton’s ideas get discussed broadly for the benefit of our profession.

Exercising Foundational Skills with Unorthodox Scenarios

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Does the scenario of an exercise activity really matter?  Can we use a zombie scenario to exercise evacuation and sheltering?  Can we use a holiday food distribution to the needy to practice our POD (point of distribution) plan?  Do scenarios always have to be realistic or related to our jurisdiction’s hazards?

I’m a foodie.  As such I find myself occasionally watching shows like Cutthroat Kitchen and Chopped.  These are fun shows that strike a balance of cooking with game shows, including the cash prize in the end.  The competitors are legitimate cooks, some trained in culinary schools, some successful in their careers and earning the title of ‘chef’.  The competitors are given, on the spot, either a dish to create (Cutthroat Kitchen) or a box full of ingredients which must all be incorporated into a dish (Chopped), using a kitchen and pantry generally unfamiliar to them, within a relatively short amount of time – and make it better than their competitors.  Is competing on these shows anything like running a professional kitchen?  Hell no.  Does it make them better cooks?  From interviews I’ve heard, the answer is yes.

Can we recreate this in emergency management?  Of course we can, and we should.  How would this help emergency managers and other public safety professionals?  Recall that within the exercise design component of the HSEEP process the Core Capabilities to be focused on and the objectives to be tested are selected prior to determining the scenario.  This tells us that the activities to be performed are more important than the scenario in which they will be performed.  In these cooking competitions, the participants must fall back on their foundational skills to be successful.  It’s those foundational skills and the activities which they foster that we evaluate in our exercises.

Certainly a scenario has some importance.  It provides context, allowing the participants to get their head into what they are doing.  A scenario can be different, even a bit silly or fantastical (alien invasion, anyone?), but it still has to correlate to the objectives of the exercise; i.e. there must be a compelling reason to perform mass prophylaxis or to evacuate an area.  That said, the scenario is simply a vehicle to get our participants to perform what we intend to test.  Don’t we always tell our participants to not fight the scenario?  Well if it’s something they’ve never before experienced, they have little ground to stand on.

Another benefit to using an unfamiliar or alternate scenario is getting participants to break from the routine and face unexpected and new challenges.  What if digital communications fail?  What if they have to relocate to an alternate EOC? What if that alternate facility is likewise compromised?  Consider using the scenario to remove a critical resource from use.  How will the participants overcome this new problem?  In Cutthroat Kitchen, participants are faced with unseemly injects to their food preparation, such as replacing all cooking utensils with a Swiss Army knife or only being able to cook using a microwave.  Some of your participants may balk at such occurrences, but emergency management is about managing the unknown, the unfortunate, and the unexpected.

Regardless of the measure of reality we choose to base our exercises on, the scenarios we develop are really another level of fiction to help facilitate exercise participation.  Yes, often times we want to test hazard specific plans (a zombie apocalypse exercise can not replace the need of a hurricane exercise), but if the scenario itself doesn’t matter, consider using something ‘outside the box’.  Routine makes us complacent and complacency is very dangerous in emergency management.  We must always expect the unexpected and continually have the mindset to improvise, adapt, and overcome.

© 2014 – Timothy Riecker

Cyber Security Video – Stop. Think. Connect

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Students and faculty from Grand Valley State University created a video for the West Michigan Cyber Security Consortium and the US Department of Homeland Security’s campaign on cyber security called Tapping In – Stop. Think. Connect.  The information site for the video (including a link to the video) can be found here – Stop. Think. Connect.

It’s a clever video about the dangers of hackers, the importance of individual vigilance, and ways to maintain your own cyber security.  Overall the video is well done and the music is catchy, although I think the production is a bit long (five and a half minutes), leading to the message getting a back seat to the music.  I do like the characterization and the vignettes that drive the video and the overall message.  I’m hopeful they will edit down the piece to provide video segments a bit more palatable to our short attention spans and conducive to inclusion in advertising campaigns. 

More of this is needed.  The public at large seems to pay little attention to cyber security and the role that individuals play in it.  While data infiltrations of large corporations like Target get a great deal of media attention, hackers and phishing scams lead to data and identity theft of individuals on a daily basis. 

How do you promote cyber security in your organization or jurisdiction?  What materials and methods do you use to promote it?  Do you feel you are reaching your audience?  

© 2014 – Timothy Riecker