DSBlog

Careful contingency planning and an all-hazards approach to assessing risk enabled Arkansas-based Wal-Mart Stores to respond in exemplary fashion to the March 11th earthquake and tsunami in Japan, first by quickly restoring its own in-country supply chain and then by delivering much-needed food, water and relief supplies to the worst-hit areas along Japan’s northeastern coast, even as the Japanese government continued to struggle with its own disaster response.

At the time of the 9.0-magnitude offshore quake, the U.S. retail giant had 414 stores in Japan, all operating under the Seiyu brand (photo, right). Of those, 24 Seiyu stores employing 1,889 people were located in the Sendai and Fukushima areas closest to the epicenter. Only two stores were badly damaged in the quake and the company lost only one employee in the massive tsunami that followed – extraordinarily low numbers given the regional death toll and physical devastation.

The Wall Street Journal recently ran an illuminating article on Wal-Mart’s disaster response operation. In describing the company’s approach to risk management, it notes that at Wal-Mart headquarters in Bentonville, “a team of experts that includes a meteorologist sizes up potential threats and works with local and national governments and aid groups on contingency plans.”

With such plans at the ready, Wal-Mart was able to respond quickly despite the damaged stores, shell-shocked employees, empty shelves due to panic buying, a region-wide power outage, fuel shortages and severely degraded telecommunications. Among other notable achievements, employees from the 22 undamaged stores were handing out food and water from their parking lots just 12 hours after the Friday quake, and Wal-Mart execs chartered a Chinese plane and had delivered 10 tons of water, flashlights, batteries, blankets and food by the afternoon of Wednesday, March 16th.

Wal-Mart owes its risk management acumen at least in part to plenty of prior disaster experience, including a massive earthquake in China, wildfires in California and of course Hurricanes Ike and Katrina. Alex McLellan, a Principal Analyst at the Homeland Security Institute who has studied Wal-Mart’s Katrina response (photo below), found for example that 66 percent of its stores in the affected region had reopened within 48 hours, and 93 percent were back in seven days.

McLellan, who presented his Katrina findings at a conference hosted by the Security Analysis & Risk Management Association (SARMA) last October, calls this kind of bounce-back the “agile systems approach to organizational resilience.”

His thesis is that “organizations can improve their capacity to adapt to disruptions from all sources, to include disruptions to business activities that occur as the result of everything from disasters and emergencies to marketplace volatility. By developing agility, organizations can improve their resilience and preparedness.”

It’s a theory that could be applied just as easily to a government as to a large commercial enterprise.

(All photos courtesy of Wal-Mart)

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises, for optimizing risk-based strategic, policy, and budgetary decisions.

How far will an organization go to protect its most sensitive information? Plaintiffs’ attorneys suing Toyota Motor Corp. over sudden unintended acceleration in several Toyota and Lexus models are finding out. Although the U.S. government recently ruled out software glitches as the cause of multiple acceleration-related accidents, the attorneys want to hire 10 outside engineers to review the software source code anyway – and they want access to well more than the 280,000 lines of Toyota Camry code scrutinized by the Feds.

Not surprisingly, the Japanese auto giant is fighting the move in the California federal court where hundreds of consumer lawsuits have been consolidated, calling the code its “crown jewel” and insisting on the imposition of a bank of strict – and in some cases novel – security measures that would make many a CISO blush with envy. A report in today’s Wall Street Journal quotes the plaintiffs’ attorneys blasting the measures as “beyond anything remotely reasonable,” but the two sides are reportedly negotiating and are expected to finalize security details by the end of this week.

Besides putting in place protective legal agreements and allowing Toyota to alert the court and request an emergency hearing if it believes plaintiffs are accessing the code in an improper way, the Journal article and a report last month in the Associated Press list the following proposed security steps:

• Keeping the source code on Toyota servers, and setting up a secure room to view the information on-screen (especially pertinent in this new Wikileaks era, when digital copies of anything are fair game). According to the AP, “The room will be guarded and will have a surveillance camera and a screener at the door to monitor who comes and goes, and any material that is not shredded at the end of each day will be placed in a safe.”;
• Requiring attorneys and others to submit to iris and palm scans before entering the secure room in order to monitor who is viewing the software code; and
• Tagging each page of printed documentation, including notes relating to the software code, with radio frequency identification (RFID) tracking chips that can be detected by a scanner at the door to the study room.

As noted in our earlier post on the exhaustive steps the U.S. Agriculture Dept. takes to protect sensitive crop information prior to its public release, we can’t help but think some of these new measures would be very useful in the protection of a different set of ‘crown jewels’: classified U.S. government security information.

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises, for optimizing risk-based strategic, policy, and budgetary decisions.

A National Oceanographic and Atmospheric Administration (NOAA) animation of the tsunami that was triggered near Japan’s northeastern coast by a massive undersea earthquake on March 11 shows just how devastating, far-reaching and complex such a phenomenon can be.

The animation compresses 24 hours into just over one minute, and can be found on the YouTube channel of NOAA’s Pacific Marine Environmental Laboratory (PMEL) in both narrated and unnarrated versions.

Additional analysis of the tsunami can be found on Dr. Jeff Masters’ WunderBlog as well as the NOAA Center for Tsunami Research website.

(Screen shot image courtesy of NOAA)

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises, for optimizing risk-based strategic, policy, and budgetary decisions.

Although likely Congressional approval of a stopgap measure that funds the U.S. government for another month would buy all sides a bit more time to agree on a fiscal-year 2011 budget, state and local agencies that rely on grants from the Department of Homeland Security are already feeling the pain of operating without such grant funding – and at their FY 2010 levels – as required in these so-called continuing resolutions (CRs) Congress has been passing since the fiscal year began last October 1st as it struggles to agree on a real budget.

Moreover, political pressures to cut federal FY 2012 spending well beyond what the Administration requested in February are adding to an already grim budgetary outlook, as are moves in a growing number of states to curtail the bargaining power of government unions – which count police, firefighters and other public safety professionals among their ranks.

The consequences can already be felt. In the past few months there’s been growing talk of state and local government employee layoffs – potentially including public-safety personnel –  in state houses and city halls across the country, including Massachusetts, New Jersey, California, Alabama, Michigan, New York  – you get the idea – with only an occasional line being drawn in the sand against such moves (see Trenton and Tucson, for two examples).

According to the Associated Press, the latest CR is likely to be approved next week and would keep the government running through Friday, April 8th, but only at bare-minimum levels of funding and with $6 billion in cuts sought by Congressional Republicans. With CRs rather than a real FY 2011 budget, funds not being disbursed include nearly $1.8 billion in grants under the Federal Emergency Management Agency’s Homeland Security Grant Program (HSGP) and a similar amount under a variety of other FEMA grant and assistance programs. In addition there have been attempts by some in Congress to further curtail grant funding, such as a proposed amendment to the CR from Rep. Nita Lowey (D-NY) that would prohibit FEMA from providing Urban Areas Security Initiative (UASI) grants to any more than 25 high-risk urban areas, which would leave another 39 urban areas without grants. (Such proposals come rapidly and can disappear without a trace; a good source for the latest on the CR and FEMA grant funding developments on Capitol Hill is Grants And Funding.Net.)

As for the FY 2012 budgetary picture, the administration has requested $3.84 billion for FEMA grant programs, representing 7 percent of the DHS budget and some $320 million less than the programs received in the previous two fiscal years. DHS is also trying to proactively demonstrate its budgetary responsibility by proposing such initiatives as the elimination of “stove-piped and duplicative State and local grant programs through consolidation and cutting over $450 million from administrative costs and professional contract services.”

Such grants are a critical source of funding among a multitude of state and local public safety professionals and programs around the country. They build capabilities that go well beyond normal public safety resources and requirements – such as fusion centers – and as such are vital to preventing the next terrorist attack or responding to the next natural disaster. Delaying or eliminating funding for such capabilities may well represent an altogether different, but no less perilous, disaster in the making.

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises, for optimizing risk-based strategic, policy, and budgetary decisions.

It’s been a busy time for state and urban-area fusion centers. Recent developments include the completion of several key studies, watchdog reviews and strategy papers designed to assess fusion center progress and capabilities, and to identify areas needing improvement or additional resources. With the 2011 National Fusion Center Conference scheduled for the middle of this month in Denver, we thought it would be an opportune time to review some of the activities that have taken place since our last fusion center roundup.

One major area of attention in 2010 was the government’s first formal in-depth look at fusion center capabilities. This so-called Baseline Capabilities Assessment (BCA), conducted by multiple federal and state/local agencies from April to September, was designed to gauge the overall level of maturity of the national fusion center network, identify specific and systemic gaps, and identify and prioritize the resources needed to maintain or improve fusion center performance. The BCA also evaluated fusion centers’ abilities to protect the privacy, civil rights and civil liberties (P/CRCL) of Americans, partly in response to a number of complaints and legal actions that arose in the preceding year.

The BCA focused on four critical operational capabilities (COCs) for the fusion centers – Receive, Analyze, Disseminate and Gather – that had been identified at the 2010 National Fusion Center Conference. In December 2010, DHS challenged the fusion centers to accelerate their improvement efforts via a Critical Operational Capabilities Gap Mitigation Strategy, which includes short-term steps “to help ensure fusion centers are capable of executing the COCs during situations involving time-sensitive and emerging threat information” and longer-term gap mitigation activities that will allow fusion centers “to fully achieve and maintain the COCs and P/CRCL protections.”

A comprehensive update on the BCA and Gap Mitigation Strategy by Bart Johnson, DHS Principal Deputy Undersecretary for Intelligence and Analysis, can be found in the February 2011 issue of The Police Chief magazine.

While DHS was assessing its fusion centers, the Government Accountability Office (GAO) was conducting a separate study, and in December published a version of a report originally released in September, with the sensitive information redacted. INFORMATION SHARING: DHS Could Better Define How It Plans to Meet Its State and Local Mission and Improve Performance Accountability concludes that while DHS intelligence products and other services have generally been well received by its state and local partners, the department “has not yet defined how it plans to meet its state and local information-sharing mission by identifying and documenting the specific programs and activities that are most important for executing this mission.” It also notes that current performance measures do not allow DHS to demonstrate the expected outcomes and effectiveness of programs and activities that support state and local partners, and urges DHS to establish time frames for developing additional performance measures.

The DHS Office of the Inspector General (OIG) issued a report of its own in October 2010 which found that DHS information-sharing with fusion centers has generally improved, primarily due to the deployment of agency intelligence analysts to most of the centers and clarifications regarding its information requirements. However it also noted that fusion centers experienced difficulty obtaining information from some DHS agencies, and that certain quick-turnaround intelligence reports were not forthcoming. In addition, the report concluded, “information technology systems do not fully support information sharing between DHS and state and local fusion centers,” forcing fusion center personnel to rely instead on emails for situational awareness and intelligence sharing. Other IT shortcomings include “challenges with limited system content and usability, as well as the existence of too many federal systems and no ability to conduct comprehensive or simultaneous searches across multiple systems or department databases.”

Not all fusion center activity centered around reports. In terms of recent events, for example, the Center for Homeland Defense and Security (CHDS) at the Naval Postgraduate School conducted its second Fusion Center Leaders Program (FCLP) in Monterey in November. The inaugural session of the FCLP, an executive-level educational program for fusion center directors, took place in June. In addition, Fusion Center Conference manager IIR organized a workshop in San Diego in December entitled Critical Infrastructure and Key Resources (CIKR) Capabilities for Fusion Centers.

As for upcoming events, Digital Sandbox will have several representatives at the Fusion Center Conference in Denver. We hope to see you there.
––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises, for optimizing risk-based strategic, policy, and budgetary decisions.