Digital Sandbox // Blog

The Federal Emergency Management Agency (FEMA) is inviting public comments on the “foundational concepts” of its recently released Presidential Policy Directive 8 (PPD-8) on National Preparedness, and more specifically on the draft National Preparedness Goal (NPG) now in development.

PPD-8 specifically mandates the development of “a national preparedness goal that identifies the core capabilities necessary for preparedness and a national preparedness system to guide activities that will enable the Nation to achieve the goal. The system will allow the Nation to track the progress of our ability to build and improve the capabilities necessary to prevent, protect against, mitigate the effects of, respond to, and recover from those threats that pose the greatest risk to the security of the Nation.”

Keeping up the brisk pace of deadlines outlined in the PPD-8 Implementation Plan, FEMA will take comments regarding the NPG on a specially configured website only until noon on September 2. The first edition of the NPG is expeced to hit the President’s desk by September 25. An initial description of the National Preparedness System is due by November 24.

For background reference, readers can view our analysis of the original PPD-8 Directive here, and of the PPD-8 Implementation Plan here and here.

A review package with the first draft of the NPG can be found here. Website commenters will first need to register, which they can do by visiting FEMA’s Collaboration Community.

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises for optimizing risk-based strategic, policy and budgetary decisions.

In the past three weeks, law enforcement and public safety authorities in several British and American metropolitan areas have faced an unprecedented surge in social disruption and violent crime at the hands of so-called ‘flash mobs’ – public gatherings organized largely via social media and email with little advance notice.

Most flash events are intended to be fun or even silly rather than destructive (group singing or dancing, the occasional mass pillow fight), even though all require the attention and resources of local law enforcement. But even a cursory look at the recent U.K. and U.S. cases shows just how variegated these events really were – and thus how tricky it can be to formulate a properly calibrated response.

Manchester, Birmingham and London: These were the most violent and prolonged of the recent cases, involving nightly rioting, looting and arson that went on for several days before being contained by a massive police response in which netted over 1,200 arrests. Manchester police used Flickr to publish security-camera photos of looting suspects and then did a name-and-shame exercise by tweeting the names, birth dates and partial addresses of those convicted. And in a speech before an emergency session of Parliament, Prime Minister David Cameron said that “we are working with the police, the intelligence services and industry to look at whether it would be right to stop people communicating via [social media] websites and services when we know they are plotting violence, disorder and criminality. I have also asked the police if they need any other new powers.”

San Francisco: Authorities at the city’s Bay Area Rapid Transit (BART) commuter rail network, caught unprepared by a July 11 protest against the recent shooting death of a knife-wielding homeless man by transit police, which halted rush-hour service on two-thirds of its trains, learned of a second protest planned for August 11 (using cell phones for coordination) and temporarily switched off cellular signals on its underground train platforms at 4:00 PM that day. No protest materialized, although BART’s website was subsequently hacked in protest of its preemptive move. BART defended its action by noting that it its riders have “a constitutional right to safety.”

Philadelphia, et al.: Small bands of roving youths indiscriminately assaulted pedestrians while larger gatherings shut down sections of the City of Brotherly Love. Several other urban areas around the country suffered store robberies, shootings and other random attacks– most the result of flash events organized over social media. The responses in Philly, Kansas City, Cleveland and a few other places were curfews for youths under 18, with broader calls for legislative or executive action aimed at curbing the use of social media in such instances.

Los Angeles: In the strangest case yet, but also one that attracted a great deal of attention, the rapper known as The Game tweeted his 580,000 followers about a music internship that gave the help line number of the busy Compton Station of the L.A. County Sheriff’s Department. He deleted the tweet, calling it accidental, after the Sheriff’s Office complained, but not before the line was tied up for close to three hours. It was a virtual flash mob or, if you prefer, a low-tech version of a distributed denial-of-service (DDoS) attack. After initial talk of filing a criminal complaint the Compton Station dropped the idea but was reportedly consulting with legal experts to see whether legislation could be developed to address social media messages that may cause harm to public safety, while still respecting individuals’ rights to freedom of speech.

We wrote about the rise of flash events last February in a report on special-event security and Super Bowl XLV in Texas in which we noted that such events “are now proliferating at such a rapid rate that the security profession is seeking innovative solutions to handle them.”

Some of those solutions may appear quickly in the form of new technological or procedural approaches, but it will take more time for cooler heads to think through the broader implications of flash events and official government responses to them – especially since they touch directly on important constitutional issues such as freedom of speech and assembly.

We will offer some thoughts of our own in a future post, but it’s already clear that the issue does not lend itself to easy solutions, nor will a one-size-fits-all approach be likely to work. That said, it’s equally clear that, as we put it in our paper, “flash events are here to stay.”

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises for optimizing risk-based strategic, policy and budgetary decisions.

As if a combined earthquake and tsunami were not enough to command the attention of the world’s nuclear power authorities, a new report says they should be adding solar storms to the list of natural hazard risks that have the potential to trigger nuclear reactor failures.

Just six months ago, the first two of this trifecta of hazards inflicted massive damage on northeastern Japan’s nuclear power plants (not to mention a wide swath of the region’s communities, farms and businesses). Now, the International Business Times reports that severe solar storm activity could “induce geomagnetic currents that could destroy a substantial fraction of the very largest transformers on the power grid,” knocking out electric power “for a period of years and possibly decades.”

“Last month,” IBT writes, “the Nuclear Regulatory Commission said that U.S. plants affected by a blackout should be able to cope without electricity for at least eight hours and should have procedures to keep the reactor and spent-fuel pool cool for 72 hours.” Any longer-lasting electrical power outage obviously would increase the risk of a meltdown. The article also pointed to a recent report by the Oak Ridge National Laboratory, which “discloses that over the standard 40-year license term of nuclear power plants, solar flare activity provides a 33 percent chance of long-term power loss. This is a risk far greater than most other natural disasters, including major earthquakes and tsunamis.”

The issue of solar flares is not new one, but it came into focus again after a surge of geomagnetic activity reported last week by the National Oceanic and Atmospheric Administration’s Space Weather Prediction Center. Our friends at the All Hazards blog reported that at one point, “the Kp index (a measure of the amount of geomagnetic disturbance…) hit ‘8’ which is pretty impressive.” (See graph at right, courtesy of NOAA.) As for the impact of such activity, it noted that a widespread outage of even a few days “could cause some big problems for nuclear power plants. Such a long-term power outage really needs to be on our preparedness radar – both for individuals (e.g., by keeping a rolling food store) and for emergency managers.”

For further reading on space weather and its impact on the planet, check out the two-part series that ran in March of this year in The Washington Post (Part 1 here and Part 2 [which addresses the impact on nuclear power] here). The University of Illinois at Urbana-Champaign published an eight-page paper in May entitled “Solar Storms Effects on Nuclear and Electrical Installations.” And in February, All Hazards published its own “Quick Guide to Space Weather and Solar Flares.”

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises for optimizing risk-based strategic, policy and budgetary decisions.

The German police have rejected the use of body scanners after testing the equipment at Hamburg Airport for 10 months and finding it sorely lacking. Security officials cited slow processing speeds and an excessive number of false positives, as well as concerns over both the health and privacy of travelers.

According to a story in the German weekly Welt am Sonntag that was picked up and translated into English by Agence France-Presse,  “35 percent of the 730,000 passengers checked by the scanners set off the alarm more than once despite being innocent.”

These are the same scanners, made by L-3 Communications, that have been rolled out in many U.S. airports, without much public debate in advance, and to similar criticism and concerns.

The report noted that the U.S. “stepped up the deployment of body scanners at airports after a Nigerian man was accused of trying to ignite explosives concealed in his underwear during a Christmas day flight from Amsterdam to Detroit in 2009. Washington then urged the European Union to follow suit but Europeans decided to first study their impact on health and privacy.”

Other European states that are testing body scanners include Great Britain, France, the Netherlands, Italy and Finland.

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises for optimizing risk-based strategic, policy and budgetary decisions.

All kinds of questions are being asked in the aftermath of last Friday’s tragic mass-casualty attack in Norway. Even leaving aside issues related to responses to the twin bombing and shooting – such as whether the Norwegian police were too slow in getting to Utøya island – there still seem to be plenty of countervailing opinions concerning what could have been known in advance of the incident.

As for the mental state of alleged perpetrator Anders Behring Breivik, much ink has been spilled on parallels between the 32-year-old Norwegian and Oklahoma City bomber Timothy McVeigh or Jared Lee Loughner, the accused shooter of Rep. Gabrielle Giffords and others in Tucson, Arizona. While it seems obvious that Breivik is a sociopath, he is a high-functioning one. Also clear is that he had an ample social networking presence and web footprint and therefore could theoretically have been detected and identified as a potential threat well in advance of the incident itself (especially with apparent red flags such as membership in OsloPistol8klubb and the recorded purchase of a farm where he could stockpile ammonium nitrate for the bombing portion of his spree).

However, as we observed in Loughner’s case, Breivik’s writings constitute protected free speech and his activities in isolation would have been extremely challenging to connect into a broader picture of his intentions. Moreover, his online and physical persona right up until he posted his 1,500-page ‘manifesto’ just before the attacks was universally described by those who encountered or read him as “mild” if a bit odd, meaning he did not seem to pose much of a risk even if there was someone in authority monitoring him. As one expert on high-risk individuals we spoke to put it: “it’s likely that most experts will convince themselves that this incident was avoidable – but of course, it was not.”

Breivik proved to be a very technically and tactically proficient individual despite his obvious mental illness; the bombing of Oslo government buildings did not kill many people but as a diversionary attack that would tie up first responders for hours it was brilliant, allowing Breivik to gun down a large number of unarmed people trapped on a 26-acre island with little threat of being stopped. One of the more worrisome aspects to us is that there’s great potential for copycats to take away useful lessons from the tactical ‘successes’ of this lone-wolf operation. As usual, a single individual with a ready supply of small arms proved much more lethal than the average suicide bomber. Sooner or later other radical elements will pick up Breivik’s (and Fort Hood shooter Major Nidal Hasan’s) lead and start acting on the lessons.

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises for optimizing risk-based strategic, policy and budgetary decisions.

The Dept. of Homeland Security has just blogged the details of a security incident that took place late last month in Colorado, highlighting the key role played by the state’s fusion center. The incident itself was an attempted bombing at a bookstore mall, but of equal interest is the relatively detailed description of how the information-sharing aspects worked in this case.

In apprehending a suspect in this incident, the Colorado Information Analysis Center (CIAC) played a central role in analyzing and sharing information between the Lakewood Police Dept. (which received the initial call for service), the Colorado State Patrol (whose trooper arrested the bombing suspect later the same day) and the FBI, which activated the local Joint Terrorism Task Force (JTTF). Although the DHS blog doesn’t say exactly where the mall is located, Lakewood PD, Colorado State Patrol and the CIAC are within blocks of each other in Lakewood, a close-in suburb of Denver.

A description of the incident, and the CIAC’s role in it, can be found here.

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises for optimizing risk-based strategic, policy and budgetary decisions.

A year has passed since the so-called Stuxnet virus was found to have wreaked havoc among the turbines and centrifuges at Iran’s Bushehr and Natanz nuclear sites by infecting control systems made by German engineering giant Siemens AG.

In the intervening months, analysts and long-form writers have had a chance to delve into the history and workings of this highly unusual attack and piece together a more complete narrative on the subject.

An excellent example is a detailed and lengthy article released today by Wired magazine called “How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History.” Writer Kim Zetter notes that while on the surface “Stuxnet seemed routine and unambitious in its aims,” it also caught the attention of companies like Symantec for its hidden complexities and size – “500k bytes, as opposed to the usual 10k to 15k.” Moreover, the code “appeared to be a dense and efficient orchestra of data and commands” with “no extraneous fat.” As Liam O Murchu, manager of operations for Symantec Security Response, put it to Wired: “Everything in it just made your hair stand up and go, this is something we need to look into.”

If the magazine’s 10,000-word magnum opus doesn’t answer all your questions, two of the better resources for regularly keeping track of articles on Stuxnet are the References section of its Wikipedia entry, and a ‘timeline’ of relevant articles, maintained by the Infracritical blog.

(Photo courtesy of the Presidency of the Islamic Republic of Iran News Service)

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises for optimizing risk-based strategic, policy and budgetary decisions.

The aviation security community just can’t get a break. First it had to contend with explosives hidden in checked luggage and radio-cassette players. More recently it was shoes and underwear. Now comes word that al-Qaeda operatives have seriously considered surgically implanting explosives inside the human body, to reduce the chances of detection by airport scanners and explosives-sniffing dogs.

Here’s hoping the people who try this are at the same level of craftiness and technical acumen as shoe bomber Richard Reid, underwear bomber Umar Farouk Abdulmutallab and their helpers.

Predictably, media and public reactions to this latest intelligence have been spread evenly across the dread continuum, from yawns to breathless hysteria and everything in between. But the story has also elicited some unusual analysis and commentary. For example, several plastic surgeons told The Wall Street Journal that “implants, commonly filled with saline for cosmetic or reconstructive uses …could be filled with an explosive such as PETN instead.” One told the Journal: “I could train someone off the street with two arms and two legs to do it within a few hours.”

In the Department of Silver Linings category, a Transportation Security Administration “insider” emailed Noah Shachtman of Wired magazine’s Danger Room blog to note with evident pride: “With the implementation of body scanners, the ‘technological deterrent’ is complete within the airport environment.” As a result, the source wrote, would-be bombers “will avoid placing their device in their shoes, in their carry-on property, in the checked luggage, or on their body. What’s left? The only thing left to consider is to place the device internally.”

TSA’s official comment on the matter was more restrained, but made much the same point. And it warned passengers flying from international locations to U.S. destinations to be prepared for additional security measures “designed to be unpredictable” and which “may include interaction with passengers” as well as more traditional screening methods. Could Israeli-style airport security be making its way to the U.S. after all?

Either way, the surge in news about this unsettling scenario is not the same thing as an increase in the threat of such an attack. Indeed, we’ve been through this particular news cycle before and maybe will again a year or two from now.

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises for optimizing risk-based strategic, policy and budgetary decisions.

Our June 15 post examined the relatively heavier emphasis placed on state and local governments in the recently released Implementation Plan that guides the execution of Presidential Policy Directive 8 (PPD-8) on National Preparedness. We now turn to the question of how it approaches risk in ways that appear to differ from the March 30 Directive, and how these might influence development of the National Preparedness Goal (NPG) and National Preparedness System (NPS), which are due respectively by September 25 and November 24.

As we noted in Part 1, the Implementation Plan appears to somewhat de-emphasize risk, or at least to decouple it from core capabilities needed for Prevention, Protection, Mitigation, Response and Recovery (PPMRR).

In one key example of this shift, the Directive states that the NPG “shall define the core capabilities necessary to prepare for the specific types of incidents that pose the greatest risk to the security of the Nation.” The Implementation Plan reflects this statement as: “The [NPG] will define the core capabilities that must be established by the Nation in order to prevent, protect against, mitigate the effects of, respond to, and recover from the specific types of incidents that pose the greatest threat to the security of the Nation, including acts of terrorism and emergencies and disasters regardless of cause.”

There are three differences between these statements that provide insight to the views of the Department of Homeland Security (DHS):

1) The original Directive’s phrase “to prepare for” is replaced in the Implementation Plan by, and therefore identified with, PPMRR. This effectively represents a new policy, since similar frameworks were encountered only in the context of capabilities, not preparedness (see, for example, the four mission areas of PPRR in the Target Capabilities List of bygone national preparedness guidelines). Preparedness has been identified as the intersection of – or gap between – risks and capabilities. So this new identification decouples risk from preparedness, at least in an explicit way. (Risk may be assumed in the concept of core capabilities, but only indirectly.)

2) The Directive’s “risk to the security of the Nation” is replaced by “threat to the security of the Nation.” While this may seem like a trivial semantic change, risk and threat have well-defined technical meanings, and substituting one for the other changes the context of the statement substantially. While a threat may be identified almost intuitively, risk is a quantity that must be computed. Therefore, substituting threat for risk reduces DHS’ requirement to perform risk analysis. The Implementation Plan does call for a national risk assessment, so it does not appear to be abandoning risk altogether, but the change in this statement seems significant.

3) The list of incident types has changed. In the opening statement of the Directive, four types of incidents are identified: acts of terrorism, cyber attacks, pandemics, and catastrophic natural disasters. The Implementation Plan mentions only terrorism and “emergencies and disasters regardless of cause,” never referring to cyber attacks or pandemics, and subsequently reverts to the general term “all hazards.” The four event types called out explicitly by the Directive represent different disciplines and call for vastly different capabilities to address. For the Implementation Plan to omit mention of cyber attacks and pandemics suggests that the Federal Emergency Management Agency (FEMA), which historically lacks experience with these two types of events, is either distancing itself from considering them or does not recognize their unique characteristics.

These changes in phrasing provide clues that perhaps DHS does not intend to perform a detailed risk analysis to drive capabilities, but would rather start from the capabilities it deems important. The Implementation Plan does state that the NPG “will include a standardized, objective approach for assessing threats and hazards to identify core capabilities and where they are needed…” and, later, “[DHS] will conduct a strategic, national-level risk assessment to identify the relevant risk factors that guide where core capabilities are needed…” However, these two statements leave the connection between core capabilities and risks uncomfortably vague.

Other mentions of core capabilities imply that they represent an unprioritized list, with a set of performance measures for each. The Directive does in fact call for a set of “prioritized objectives to mitigate that risk,” but nowhere in the Implementation Plan is it specified how the core capabilities are connected to risk mitigation. Once the core capabilities are identified based on an assessment of threats and hazards, they take on a life of their own, with their own performance objectives. It is therefore unclear how DHS will determine the “level of performance” needed by different geographies, which are subject to different risks from different threats and hazards. This is, of course, the critical question in the feedback loop of risk management; FEMA has never answered it, and this plan does not promise to do so, either.

Lastly, the Implementation Plan distinguishes between performance objectives for “all-hazards” capabilities and those for “catastrophic preparedness.” This distinction is not apparent in the Directive, which calls only for DHS to consider “catastrophic natural disasters” among its list of “greatest risk” event types. This may reflect a FEMA preoccupation with non-catastrophic natural hazards – as would the previous substitution of threat for risk, which emphasizes frequency over consequence.

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises for optimizing risk-based strategic, policy and budgetary decisions.

In a February post we discussed Executive Order 13556 establishing a Controlled Unclassified Information (CUI) program, an effort by President Obama to standardize and simplify the way the executive branch handles unclassified information. The order designated the National Archives and Records Administration (NARA) as the executive agent responsible for implementing the policies of the order and directed it to develop a document outlining for executive agencies the initial directives for implementation of the order.

Earlier this month, NARA released these directives, which will undoubtedly impact the designation process of Critical Infrastructure Information (CII), Law Enforcement Sensitive (LES) information and Sensitive Secure Information (SSI).

Pursuant to the directive, once a CUI program is implemented within an agency, CUI markings will be the only markings authorized to designate unclassified information requiring further safeguarding or dissemination controls. Legacy material markings, meaning sensitive but unclassified materials that were previously marked under agency-specific marking practices, will not be carried forward. In addition, the appropriate CUI marking will only be applied to legacy material if the information meets the requirements for designation as CUI. Further, the directive explicitly annunciates that CUI may not be controlled indefinitely unless explicitly stipulated by law, regulation or policy. And each category of CUI must have a specific time frame or triggering event for applicable decontrol.

The onus is now on the executive agencies, such as the Departments of Defense and Homeland Security. Each must provide NARA with a proposed plan for compliance with the requirements of the order, including the establishment of interim target dates in the next 180 days.

We will continue to monitor CUI developments as the agency implementation process progresses.

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises for optimizing risk-based strategic, policy and budgetary decisions.