admin, Author at Liberty Group Ventures Archive -

Author Archive

LGV Video Clips

Below you’ll be able to use these links to watch a video clip of on each of these topics.

Fireside Chat with Diane Brady: Securing the Digital Economy – [Video Clip]
5th Annual Cybersecurity Summit – [Video Clip]
Can anyone guarantee the security of personal data online? – [Video Clip]
How the Trump administration boosts internet security – [Video Clip]
Cybersecurity in Transition – [Video Clip]
U.S. Cyber Policy Conference: Panel on Public-Private Innovation and Collaboration – [Video Clip]
Kiersten Todt and Roger Cressey – [Video Clip]

Better Federal Mobile Security — an interview with Kiersten Todt

By Lookout

Over the past decade, the federal government has followed the rest of society in a general move towards mobility. The trend toward mobility is an essential part of fulfilling the government’s mission of service to the American public. More functionality and power is being put into mobile devices, which is a very positive development.

As more functionality moves to mobile however, it becomes an increasingly valuable threat vector. We recently sat down with Kiersten Todt, the resident scholar at the University of Pittsburgh Institute for Cyber Law, Policy, and Security, to discuss this trend. Todt was recently a panelist at the Federal Innovation Summit held in Washington, D.C., sponsored by FedScoop.

Todt is also the president and managing partner of Liberty Group Ventures, LLC (LGV), a role in which she develops risk and crisis management solutions for cybersecurity, infrastructure, homeland security, emergency management, and higher education clients in the public, private, and nonprofit sectors. She recently served as the executive director of the Commission on Enhancing National Cybersecurity, which helped carry out President Barack Obama’s Cybersecurity National Action Plan.See the Q&A below.

1. Thank you for speaking with us. What’s the current climate within agencies right now with regard to mobile security? Who gets it and who is still stuck in 2010?

Todt: The climate and understanding can vary not just between agencies, but also between entities within agencies. How mobility is viewed is intrinsic to what the entity understands cybersecurity to mean.

There are varying levels of understanding within federal IT circles. But there is growing awareness that the most important endpoint has become the mobile device. When we see incidents like General Kelly’s phone being hacked, that of course is sobering but also a reminder of how we all maintain all our information on our mobile devices. The challenge is to ensure IT processes are aligned with the urgency of the mobile security requirement.

General IT awareness also varies within federal communities, and affects how mobile security is viewed. For example, some entities would say “well, we’ll never go to the cloud,” when they already have! The more you know about cybersecurity, the more you realize that moving to the cloud improves security for critical functions of all agencies – payroll, email, HR, and others.

Much of this improved security is provided by third party vendors, who have more day-to-day information on evolving cybersecurity threats. It’s smart for agencies to work with companies solely focused on this function. Innovation will, unfortunately, always outpace security. But working with experts closes the gap. It’s a logical extension of the “outsource non-core function” mindset.

Of course, agencies need to ensure they are working with the right partners.

2. Was there a big takeaway or aha moment on your panel last week?

Todt: Personally my big takeaway was, be honest about how secure something can be made. There was a discussion around the Google Play store, and how those applications had been “secured.” I’m sure Google is indeed doing more than in the past on this front. But when such assertions are made, complacency can actually increase mobile vulnerabilities. Our IT environments can never be 100 percent secure – that’s not being defeatist, it’s just being fully informed.

Of course, vendors will never want to emphasize the negative. But the fact remains that the bad guys will always be a threat, simply because they will discover issues not yet identified – the “zero-day” exploit.

For example, an individual device might be secure, but there are so many interdependencies and access points involved in the functionality, those can become vulnerable. We’re seeing malware getting injected earlier in the development process, to the point where applications are being built around the planted malware.

3. Is it dangerous for the White House, Pentagon and other agencies to be considering personal device bans?

Todt: It is very dangerous. The biggest reason why is that people will not follow the policy and find workarounds, which will be far worse for mobile security. I’ve personally seen an example in the emergency management space where official emails were being forwarded to personal email addresses to avoid a similar workplace ban. Obviously, the chances that email infrastructure is as secure as a government one are slim to none.

What’s needed are logical policies that take into account how people actually use mobility. The federal government has recently outlined some very clear steps agencies can take to improve mobile security. Mobile devices are an essential part of employee productivity today. I think most employees would say they simply can’t function without mobile devices.

I’ve used the analogy of a surgeon and a scalpel in discussions with my clients. There is a level of risk inherent in any type of surgery. Does that mean it’s logical to ban the use of scalpels by doctors? Outright bans are lazy policy and counterproductive.

4. What are the chances recent guidelines for mobile security become mandates, if agencies don’t move fast enough?

Todt: I think that’s very likely. Recent history shows us that it’s always better when change happens voluntarily, as opposed to via government mandate. No one likes to be told what to do, and often times the government action will over-rotate, go further than it would have otherwise.

I think we’re seeing that now with the social media debate, Facebook, Twitter and so forth. The discussion around what are their responsibilities around data usage and protection. The process takes time, but if actions aren’t taken voluntarily there will be government regulation. Collaboration is almost always more effective and productive.

I’d argue another example is the creation of the Department of Homeland Security in the early aughts. In the aftermath of the 9/11 attacks, there was a consensus that this country needed an agency solely focused on defense. The objective was a good one, but 22 federal agencies and departments were thrown together in a very short period of time. There’s broad agreement among those I talk to that absent the 9/11 catastrophe, the agency could have been constructed more efficiently.

5. What do you see happening around federal mobile security in the next 12-18 months?

Todt: I hope to see awareness continue to grow within government for the need to integrate mobile security into fundamental operations. This could be supported through executive or general cyber policy guidance. The report done last year by DHS outlines some effective ways to increase security.

The White House and OMB have a big role to play in supporting this broader awareness, and helping to translate it into policy. Better integration is required, and embedding mobile security earlier in the development process.

Top Security Experts Organize to Educate Small Businesses

By Jeff Stone
The Wall Street Journal

Private sector heavyweights are uniting as part of an effort to help small- and medium-sized enterprises increase their awareness about digital threats and mitigate cyber risks.

The Cyber Readiness Institute, launched Wednesday, is a nonprofit organization that aims to help SMEs navigate the world of cybersecurity by connecting executives with top U.S. business leaders and third-party organizations. The organization’s co-chairs include Satya Nadella, chief executive of Microsoft Corp., Ajay Banga, president and chief executive of Mastercard Inc., Samuel Palmisano, former chief executive at International Business Machines Corp., and Penny Pritzker, former U.S. secretary of commerce.

“How do we take the resources and lessons of large companies and help small and medium enterprises use that for their own cyber risk management and for their employees?” asked Kiersten Todt, managing director for the Institute. “The objective here now is to create a membership of senior leaders across the globe to put that together.”

Ms. Todt and Mr. Palmisano served as the executive director and the vice chairman, respectively, of the Obama administration’s Commission on Enhancing National Cybersecurity. The commission made as number of recommendations to the federal government that were later included in the Trump administration’s executive order on cybersecurity.

Assigning cybersecurity responsibility to cabinet officials, an initiative to fight botnets, a workforce initiative and the plan to use the U.S. National Institute of Science and Technology’s cybersecurity best practices across the government were all among the recommendations adopted in the executive order. Mr. Palmisano said the Institute will continue to raise awareness about many of the same issues.

“We need to quite honestly simplify best practices and the NIST framework for small business,” he said. “Part of the process in convening leadership is to converge their ideas and come up with an approach that applies to SMEs. Maybe that means helping them assess their vulnerabilities with a questionnaire, or a methodology that helps them see that their biggest exposure is their firewall, or a lack of password security.”

After a series of leadership meetings–the first being tentatively scheduled for October on third-party risks–the Institute aims to create an online curriculum where interested executives can educate themselves.

How the Trump administration boosts internet security

The former Executive Director of the President’s Commission on Enhancing National Cybersecurity Kiersten Todt speaks out on ‘Special Report’

Click to view full story

National Cybersecurity Specialist Kiersten Todt to Join Pitt’s Institute for Cyber Law, Policy, and Security

PITTSBURGH — The former executive director of the Commission on Enhancing National Cybersecurity has a new position as resident scholar at the University of Pittsburgh Institute for Cyber Law, Policy, and Security, effective today.

Kiersten Todt headed up the national cybersecurity commission, which helped carry out President Barack Obama’s Cybersecurity National Action Plan. Its members — top strategic, business and technical thinkers from outside government — worked to strengthen cybersecurity in both the public and private sectors while protecting privacy, maintaining public safety and economic and national security and empowering Americans to better manage their online safety.

Todt will be representing Pitt’s Cyber Institute in Washington, D.C.

“Kiersten is uniquely and exceptionally qualified to take on this new role,” said Pitt Chancellor Patrick Gallagher. “I have been fortunate to work at her side on President Barack Obama’s Commission on Enhancing National Cybersecurity. At each turn, Kiersten spearheaded key discussions and developments related to cyber policy and cybersecurity, and I am thrilled that she will continue to extend this track record of success at the University of Pittsburgh.”

Said Todt: “I will ensure that Pitt Cyber contributes to the federal cyber policy discussions and develops a cyber agenda that, in collaboration with ongoing activities at Pitt, positions the Institute to be a thought leader.”

As head of the Commission on Enhancing National Cybersecurity, Todt and her team developed recommendations, presented them to Obama, then briefed President Donald Trump’s transition team in January. Key suggestions included creating baseline standards for internet of things devices and training the current cybersecurity workforce in relevant skills while attracting new people to the cyber workforce. Todt says she was pleased that many of the recommendations were included in Trump’s cyber executive order signed May 11.

Todt says the creation of Pitt’s Institute for Cyber Law, Policy, and Security comes at an important time as cyber threats continue to change and evolve.

“The Institute will be looking at the issue from the policy and law side,” she said, “which is critical and necessary.”

“Kiersten is a rock star, and we are overwhelmed to have her as part of our team,” said David Hickton, founding director of Pitt’s Cyber Institute.

Prior to Todt’s work on the national cybersecurity commission, she was the president and managing partner of Liberty Group Ventures, LLC. She developed risk and crisis management solutions for cybersecurity, infrastructure, homeland security, emergency management and higher education clients in the public, private and nonprofit sectors.

Todt was a partner at Good Harbor Consulting and was responsible for building and managing the company’s North America crisis management practice. Clients included states and localities, large corporations, maritime entities and college and university systems. Before joining Good Harbor, she worked for Business Executives for National Security and was responsible for integrating the private sector into state and local emergency management capabilities.

Todt served on the U.S. Senate Committee on Homeland Security and Governmental Affairs, working for committee chair Joseph Lieberman, and was responsible for drafting the cybersecurity, infrastructure protection, emergency preparedness, bioterror and science and technology directorates of the legislation that created the Department of Homeland Security.

Before working in the U.S. Senate, Todt served in Vice President Al Gore’s domestic policy office and was responsible for coordinating federal resources with locally defined needs, specifically focusing on energy and housing issues. She was also the senior adviser on demand-reduction issues to Director Barry R. McCaffrey at the White House Office of National Drug Control Policy (ONDCP).

Todt graduated from Princeton University with a degree in public policy from the Woodrow Wilson School of Public and International Affairs. She holds a master’s degree in public policy from the John F. Kennedy School of Government at Harvard University and was selected to be a Presidential Management Fellow in 1999.

Five Steps to Strengthening Cyber-Defenses (CIO Insight magazine)

Faced with liability from cyber-attacks, companies must take proactive steps to ensure they are prepared to mitigate the impact of a cyber-attack.

By Kim Peretti and Jason Wool, Alston & Bird LLP, and Kiersten Todt and Roger Cressey, Liberty Group Ventures, LLC

It is often said that a cyber-attack is a matter of “when,” not “if,” for companies ranging from Fortune 500 powerhouses to mom-and-pop establishments. While this statement provides a dose of dark reality, it offers no practical guidance. Anyone on the receiving end of this advice may be wondering how to take effective action in light of the inevitability of network intrusions, data breaches, data theft and the emerging threat of data manipulation. Does this mean that companies should simply accept that the risk exists? More importantly, does it mean that executives and boards of directors should ignore cyber-security to avoid legal liability after an attack?

Of course, the answer to these questions is a resounding “no.” Instead, since network intrusions may be nearly impossible to avoid means that organizations must develop cyber-risk management strategies that are agile and can adapt to evolving threats. Cyber-attacks are a risk that must be managed like any other enterprise risk. Companies must determine their cyber-risk appetite, the resources that they are willing to dedicate towards reducing that risk, whether to transfer a portion of the risk, and even whether to accept some of it. These decisions must be part of a cycle that is repeated with regularity.

Faced with potentially large liability from cyber-attacks, companies are advised to take proactive steps to ensure they are prepared to respond effectively to mitigate the impact of a cyber-attack.

The time to invest in cyber-security is before an attack. If cyber-attacks are inevitable, then resiliency is imperative. One of the primary measures of determining the effectiveness of a company’s security practices is the ability of that company to contain and minimize the damage from an event and resume normal operations as quickly as possible or, preferably, maintain continuity of operations in the wake of a breach.

Here are five risk-management steps your company can take now to better manage cyber-risk and reduce its liability exposure after a breach occurs.

Change corporate culture and shift company mindset.

Similar to cultural shifts that occurred around workplace safety and seatbelts, an evolution is necessary in corporate culture to incorporate cyber-security into every level of the enterprise. This shift includes identifying, with input from the highest levels of the company, critical assets, such as intellectual property, and sensitive data, such as personal information, and ensuring that corporate cyber-security policies prioritize the protection of those assets and data. But cyber risk management cannot be top-down only–it must simultaneously be bottom-up, meaning that IT security operations personnel actively participate in program design and management to ensure that practices and policies are aligned.

A change in corporate culture requires a substantial commitment to conducting regular educational outreach, including meaningful awareness campaigns and useful training for employees and senior executives. Such initiatives could include:

Educating senior executives and board members on cyber-security and the risks associated with it, some of which are equal to, if not greater than, many of the traditional risks over which a board oversees management. Educational opportunities might include briefings by subject matter experts on evolving cyber-threats and their relevance to the enterprise;
Conducting annual (or more frequent) cyber-training for employees, focusing on applicable corporate policies and procedures, as well as on relevant cyber-threats and vulnerabilities;
Conducting corporatewide cyber-awareness campaigns to address common malicious actions (e.g., targeted social engineering, phishing, watering hole attacks);
Ensuring cyber-security education is a component of on-boarding/new employee training; and,
Conducting corporatewide tabletop exercises that incorporate cyber-attack scenarios into the exercise design.

Connect the IT/Information Security and Legal departments within the company.

Similar to senior executives and the board, general counsels and other legal personnel must understand their responsibility for cyber risk management and their role in cyber-security preparedness and incident response. Similarly, IT and security practitioners must be aware of the legal issues and other risks associated with network security and corporate data. Central to this two-way connection is both groups meeting half-way on knowledge and communication: counsel must develop a general familiarity of IT and security issues, and IT and security practitioners must learn to communicate without over-use of technical jargon. It is also essential that counsel communicate and non-legal personnel understand and embrace the general framework for attorney-client privilege and work-product protection in the context of internal investigations. Regular and easy communication between these groups is critical. Counsel must be especially clear with security practitioners that their primary goal is to protect the company from harm, not to interfere with security decision-making. Security personnel must also recognize that their jobs have a direct impact on the business’ core missions.

Companies can also engage outside counsel and security consultants to provide information on the legal and policy landscape, an overview of current threats, and an assessment of whether the organization’s practices are in line with regulator expectations and reasonable security practices. As with many services provided by counsel, companies may be able to cloak legal assessments in the attorney-client privilege, which should incentivize them to engage in these types of investigations.

Use the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

The NIST Cybersecurity Framework is now being used by large and small companies in multiple industry sectors. It can be used to create a common language within an enterprise and among partners and vendors for its cyber risk management activities. It can also be used to identify how the company currently manages cyber-risk, whether there are any gaps in its current program, and how it would like to improve its risk management policies. Companies can also use the framework as a cyber-risk dashboard tool to facilitate cyber risk management and oversight by senior executives and board members, respectively.

Ensure cyber-security is a priority in the company’s negotiations with vendors and partners.

Supply chain risk management has emerged as an essential cyber risk management practice, as contracting and procurement can create significant security vulnerabilities if not appropriately overseen. Companies must understand that high-profile breaches can and have occurred because of supply chain and vendor vulnerabilities, including stolen vendor credentials, third-party remote access to corporate systems and backdoors in purchased solutions, which provide attackers with direct access to corporate networks. Companies must therefore be sure to conduct thorough vendor due diligence and include counsel and security personnel in negotiations, as necessary.

Plan for the inevitable.

Although cyber-attacks may be inevitable, companies have a choice regarding how resilient they are in response to them. Companies must have incident response plans in place that cover the technical and business sides of responding to a security incident. Beyond merely having a plan in place, they must also embrace the mantra of “test, test, test.” By regularly performing tabletop exercises and simulations, especially after game changers in the cyber threat landscape, companies ensure their plans are agile, flexible and suited to respond to the current threat landscape as effectively as possible.

Such tabletops and simulations should test both the technical and business sides of the response (though not necessarily in the same exercise), and should involve senior management and their specific roles in incident response. Companies should also integrate their existing crisis management processes and business continuity plans into their breach response planning efforts–significant security incidents are crisis events.

Finally, companies should be sure to improve upon their plans following exercises and report findings to senior management and the board. Part of their job descriptions is to understand how prepared the company is for a data breach or significant cyber-event. As a result, a reporting structure for this information should be developed or incorporated into an existing one.

Conclusion

All of these steps share one essential characteristic – they are about people and policies, not technology. Technology is undoubtedly an essential component of any information security program, but it is not sufficient in and of itself. Companies need to educate, and develop policies that are implemented by their employees. Technology can support the implementation of those policies but it is not the solution alone. As cyber-security breaches become more common, preparatory and response activities, as designed in corporate policies, conducted by employees and other personnel, may be what make a company’s practices reasonable. In addition, although cyber-attacks may be inevitable, there are concrete steps companies can take to reduce the opportunities for severe disruption. Even the most sophisticated attacks often begin with an employee clicking on a link, opening an attachment, or using a weak password. Focusing on people and policies is an essential means of reducing cyber-risk and ensuring corporate resiliency, even in the face of the inevitable.

Target Admits Customer PIN Data Removed but Says It’s ‘Secure’

By AARON KATERSKY  SUSANNA KIM

Target Corp. said that PIN data was lifted during its massive data breach, but that it’s “confident that PIN numbers are safe and secure.”

“The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken,” Target said in a statement today about the data breach that might have affected as many as 40 million customers between Nov. 27 and Dec. 15.

Earlier this week, a Reuters report said debit card PIN data may have been compromised, which Target denied. But through “additional forensics work” on Friday morning, the company confirmed “that strongly encrypted PIN data was removed.”

Target defended its position saying the PIN is encrypted at the keypad with what is known as Triple DES when a guest uses a debit card in its stores and enters a PIN.

“The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems,” Target said in its statement on Friday.

“I hope they are right because that information, along with the credit and debit numbers of millions of Target customers, has been in the hands of ‘very sophisticated’ criminals for over four weeks and has been, and is probably still being, sold in the black markets,” said Adam Levin, chairman and co-founder of Identity Theft 911 and Credit.com.

Target said it “does not have access to nor does it store the encryption key” within its system.

“The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor,” Target said on Friday. “What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.”

Experts believed the PINs might have been compromised because banks such as JPMorgan Chase decided to limit ATM withdrawals and debit card purchases of affected Target customers.

Target is reaching out to affected customers after it learned scam artists posing as company representatives tried to steal more personal information.

Kiersten Todt, president and managing partner of Liberty Group Ventures, said it appears that Target took expensive steps to protect its consumer data.

“Target has obviously done a rigorous forensic analysis and shared that the encryption technology used to protect PIN data kept it secure for its customers, so that if the PIN data were stolen it is not accessible because it was fully encrypted,” she said.

Lessons in response and resilience from the Boston Marathon bombing

Kiersten E Todt considers how open events such as the Boston Marathon can be better secured against violence, examining the role of video surveillance, layered security and community and crowd awareness.

On 1 October 2005, a bomb detonated fewer than 200 yards from Oklahoma Memorial Stadium, where 84,501 spectators were attending a football game between the Oklahoma Sooners and Kansas State Wildcats.

Some spectators inside the stadium heard an explosion that was also reported up to five miles away, although fans on the east side of the stadium heard only a rumble – and a few heard nothing. Spectators were prevented from leaving the stadium at half-time, which caused concern among the fans who did hear the explosion.

In a press conference the next day, Oklahoma University President David Boren identified Joel ‘Joe’ Henry Hinrichs, a 21-year-old mechanical engineering student, as the person responsible for the detonation. He was the only fatality. Originally from Colorado Springs, Colorado, Hinrichs was a National Merit Scholar described by his father as a “very private individual” who had gone through “several severe bouts of depression” and had a difficult time making friends. Authorities learnt that Hinrichs detonated triacetone triperoxide (TATP), an extremely unstable compound that can be prepared using common household products and that had been used in the London bombings in July 2005. Authorities assumed that Hinrichs intended to detonate the bomb inside the stadium.

How does the Oklahoma bombing of 2005 relate tot he 2013 Boston Marathon bombings? It is the most vivid example of how the issue of sports security could have been very different, years before the Boston bombing. Following the 9/11 terrorist attacks on America, national security experts and government officials were concerned about the challenge of securing ‘soft targets’, such as open events and venues – places where it is impossible to screen everyone because spectating integrates seamlessly into everyday life. One can only imagine how sports security would have changed in the aftermath of a successful attack by Hinrichs. That it was not successful was not down to effective law enforcement or the efforts of sport security professionals; it was pure luck, something not in supply at the Boston Marathon and something that cannot be relied on in sports security planning.

While remembering the tragedy of Boston in terms of loss of life, injury and psychological damage, there are several important lessons in crisis management and emergency response that need consideration. The initial lessons learnt from 15 April 2013 include the critical roles of first responders and the importance and evolving role of surveillance and crowd education.

The role of first responders

Emergency medical technicians (EMTs) played a crucial role in the immediate and effective response to the Boston bombings. As the attack occurred at the finishing line, EMTs and triage stations, well into their work treating exhausted and dehydrated athletes, were available to respond quickly to the immediate aftermath of the explosions. Even though the EMTs and triage station personnel were not planning for the treatment of severe injuries resulting from bombs, having highly trained and qualified EMTs and their associated resources at close hand ensured that injuries were treated more quickly and effectively than they would otherwise have been had those stations not existed.

The success of the EMTs and how they performed was also a function of where the bombings took place. Had they taken place in Framingham, Wellesley, or dozens of less notable places along the marathon route, the death toll may have been higher because of the lack of EMTs, first responders, supporting infrastructure and fewer hospital facilities a short distance away. The starting and finishing lines are the two most secure and prepared locations on a marathon route. Boston illustrated the advantage of an effective emergency response at the finishing line, but also highlighted the potential challenge of deploying sufficient emergency response at locations away from the starting and finishing lines of an open event.

It must be recognised that when dealing with an open sporting event, those who are responsible for the security and safety must identify the places within and around the event where spectators and athletes are the most vulnerable – and where officials are most prepared for dealing with a crisis. Efforts towards strengthening the security of the event must include an increased EMT presence, as well as seeking great contributions from local first responders along the event route. Consideration should also be given to actively recruiting volunteers who have backgrounds in emergency response. This effort will ensure a higher distribution of qualified first responders along the event route, while maintaining the continued priority of resources at the start and finishing lines.

The second major lesson from the Boston Marathon bombings involves the new and evolving role of surveillance at an open venue event. Surveillance enables security officials to keep an eye on assets, athletes and the crowd during an event, and it also provides the ability to return to the time of a security breach and collect evidence after it has occurred. Video taken by cameras outside the Lord & Taylor department store on Boylston Street near the bombing site proved to be a turning point in the Boston investigation, as one official publicly stated. In the aftermath of 9/11, the deployment of video cameras has grown significantly at stadia and arenas around the world. The Boston events demonstrate the utility of surveillance technologies at open sporting events, especially in high-traffic locations.

The Boston bombings offered several lessons on the role of surveillance in securing similar sporting events, because video cameras typically used for preventing crime can have a significant role in crisis response. This recognition is not an argument for the creation of a ‘surveillance state’, but we must acknowledge that the proliferation of video technology can be an important asset in emergency response and recovery, as well as in crisis management throughout a post-event investigation.

One of the issues raised by the Boston post-event investigation was the ability of law enforcement officials to process huge amounts of video, photography and social media offered by the public in response to a request for the public’s help in the identification of potential suspects. The role of the community in providing data, videos and photographs of the bombing scenes and suspects, as well as first-hand descriptions of activity by the bombing suspects, was crucial in the evidence-collection process, but handling such material is resource intensive.

Following the Boston Marathon bombings, there will, understandably, be a greater need and demand for additional surveillance at metropolitan sporting events and locations. Some experts may assert that the logical next step is video surveillance along the entire route of sporting events. However, the cost, logistics and coordination of such a step may make it prohibitive. A middle ground may exist in identifying distributed locations and providing surveillance at those key locations, each of which is a reasonable distance to EMTs and triage stations.

It is incumbent upon organisers and security officials for open venue sporting events to build upon lessons learnt from Boston and to understand the evolving nature of the threat. The security officials along the marathon route were primarily facing the athletes because in the past the primary concern was security breaches that would have interrupted the event. Police would look at the crowd for disruptive activity that could impact athletes on the course; they were not looking for individuals with intention to injure spectators. This approach is typical for law enforcement when there is no credible threat or intelligence information indicating malicious intent and conduct. For example, at the 2004 Athens Olympics an individual emerged from the crowd and attacked the lead runner in the men’s marathon. Event planners must recognise that the threat information available to them is unlikely to be specific or ‘actionable’. Instead, security officials and emergency responders should be prepared for a wide array of contingency scenarios. As a result of what happened in Boston, we can expect marathon officials in the future to distribute their focus and attention equally between the athletes, the event and the crowd/spectators.

We cannot predict the motives or tactics of ‘lone wolf’ terrorists. The key to minimising and containing the violence is to educate the community and foster resilience. Even though authorities in Oklahoma had opened an investigation into Joel Hinrichs due to his request to purchase large amounts of ammonium nitrate, and the FBI was aware that the alleged Boston bomber, Tamerlan Tsarnaev, had an extended stay in Russia, neither case offered probable cause to conclude that an attempt at attacking a sport event was likely. Without information that law enforcement can act upon, the role of the community becomes critical in creating awareness before, during and after an event.

Facilitating communication

We need to empower communities and local partners to identify anomalous behaviours and facilitate communication with authorities. The United States Department of Homeland Security instituted a public awareness programme in 2010 under the slogan, ‘If you see something, say something’. This programme acknowledges the role of community in countering security threats in the transportation sector, and this role is now extended to other arenas, including spectators at sporting events. An unattended backpack in an airport or train will quickly attract the attention of security officials. After Boston, the same may be true at open sporting events.

The Boston bombings also drew attention to the community’s role in identifying signs of radicalisation and countering violent extremism. The key question is whether the Tsarnaev brothers exhibited enough behaviour and signs to trigger the community to notify law enforcement. Do communities have the tools, education and awareness to know what their role is in community safety and security? If not, what needs to be done? The cooperation between the community and law enforcement is fundamental in identifying and preventing potential terrorist threats. What is notable about the Boston bombings is that these brothers came from an ethnic community that had not been on the radar screen of the counter-terrorism community. Communities need to be educated on behaviours and anomalies and what to look for in a constantly evolving threat environment.

Is Boston a game-changer for countering domestic terrorism? Not necessarily, but one of the most critical lessons in preventing similar acts of lone-wolf terrorism, particularly as it pertains to open venue sporting events, is empowering communities and giving them the tools, education and awareness to identify extremism.

Approaches to consider include examining the community-based methods for preventing, responding to and recovering from all hazards, particularly natural hazards. We must employ the concept of resilience at open venue sporting events in order to ensure that security preparation includes the ability to identify vulnerabilities and contain breaches.

Identifying key lessons

As tragic as the Boston attack was, the response to the bombings should be viewed as a success. Response was immediate, victims were treated quickly, and the suspects were identified and captured within days of the event. We have identified several initial key lessons, and there will undoubtedly be more as information continues to flow. Specifically, we learnt of the importance of a fully capable EMT presence that is deployed in sufficient numbers along the route, increased surveillance, and the work that needs to be done on educating a crowd, which begins with the education of communities. We need to ensure that we take lessons learnt from each security event and integrate them into our safety practices.

Prior to the 22 October 2005 Oklahoma University football game against the Baylor Bears, season ticket holders received a letter from Oklahoma University President David Boren outlining new stadium security procedures, including restrictions on bags and purses brought into the stadium, more security cameras and hand searches of belongings. Readmission to the stadium after exiting during the game or at half-time was prohibited except for medical emergencies. The university had taken immediate steps to integrate lessons that had been learnt from the failed bombing attempt in August.

Following Boston, road races in New York City and elsewhere around the country experienced high levels of security. At the Preakness horse race in Baltimore, Maryland, enhanced security practices were put in place prohibiting backpacks and only allowing transparent, see-through coolers inside the event perimeter.

Is there the potential for overreaction to the tragedy in Boston? Absolutely. The level of security at a sporting event must reflect a realistic assessment of risk, both from terrorism and less serious disruptions. Some initial security reactions following Boston will likely be adjusted over time, but they represent an important internalisation of how and in what ways security procedures need to change to reflect the current threat reality.

In August 2007, Oklahoma University held an emergency drill to better prepare for future events during home football games. A gas line rupture inside Oklahoma Memorial Stadium was simulated. More than 500 students participated, along with responders from the Department of Homeland Security, the Federal Emergency Management Agency, the local police and fire departments, the University of Oklahoma Police Department, and the Oklahoma Highway Patrol. It was the first university stadium emergency drill of its kind in the United States.

One of the most effective ways in which to build, systematically, on lessons learnt is to test scenarios before the event. Those who organise open sports events should develop and execute scenario-driven exercises that expose the current risks and vulnerabilities with all relevant constituencies, including security officials, law enforcement, EMTs, athletes and vendors. Some key security lessons learnt from Boston that could be tested in future exercises include how to handle a breach-hours into an event when fatigue has set in, and how to maintain simultaneous surveillance on the crowd and the athletes. Exercising scenarios for open sporting venues is a necessity and should be a key component to security preparation before an event. We need to educate all of those involved in securing these types of events with scenario-driven approaches.

The layered defence approach that is effective in closed sporting events – including baggage checks, tickets and security gates – needs to be expanded upon to secure open sporting events. We need to identify the tools available in open events that will help prevent breaches, and also ensure effective response, recovery and resiliency to contain and manage the compromises. Initial lessons from Boston illustrate how EMT presence can ensure resilience, how surveillance is needed to improve prevention and response, and how crowd and community education and awareness is critical as the current threat environment continues to evolve.

Kiersten E Todt is the President and Chief Executive office of Liberty Group Ventures, LLC, and is a former professional staff member on the US Senate Committee on Homeland Security and Governmental Affairs.

Resilience in the event state

Security strategy has evolved since 11 September 2001, from a focus on prevention to a wider consideration of resilience. This approach has particular relevance to mega sporting events, where the ability to recover from disruption and complete the event is both important and time-sensitive. Kiersten Todt Coon discusses the value of resilience during major events.

On the final day of the Winter Olympics, an explosive device is detonated at a critical power substation for the statewide power company in close proximity to the international airport. The blast causes widespread power outages and sparks a fire at a nearby oil refinery, raising fears of terrorism. It knocks out power to 30,000 people.

How does this incident affect the Games? Do they need to be cancelled? What could have been done to prevent or mitigate the attack?

This event actually occurred on the final day of the 2002 Winter Olympic Games in Salt Lake City, but it barely made the local news, let alone national or international outlets. Why?

Following the attacks of 11 September 2001, the United States vowed that such an event would “never again” take place on its soil. I served in the US Senate during and after 9/11 and was on the team that drafted the legislation to create the Department of Homeland Security. As we developed each component of the Department, a primary question we asked was how could we prevent another attack, and what could be done to ensure this tragedy or something like it never happened again.

However, there has been a shift in thinking since 9/11. While prevention will always be important, it sets us up for failure because it is impossible to prevent every attack from occurring. The focus of security and crisis managers is now – and should remain – on response, recovery and resilience. We no longer question whether attacks, disasters, crises – whatever term we choose to define damage – will occur, but when. And when they do, how resilient are we? How quickly can we bounce back?

The Department of Homeland Security defines several “events of national significance”, or National Special Security Events (NSSE), that require the development and implementation of security operations. These range from presidential inaugurations to public funerals. They draw a large audience and are often covered live by broadcast media. These events are the ones for which we prepare with knowledge about most of the event components, but they are vulnerable because they are high-profile events and, therefore, attractive to an individual or group wishing to make a statement, or to embarrass a community or country.

To understand how to respond and recover from a disaster that affects a special event, we must understand what kind of incidents are being considered. Post 9/11, we focused almost exclusively on terrorist attacks, but we now know that the most efficient and effective use of resources is to build a security template that protects against hazards of all kinds, natural and man-made. In 2005, Hurricane Katrina demonstrated how an exclusive focus on tackling terrorism was a spectacular mistake.

Creating a resilient infrastructure

Sporting events can be targets for lone wolves who want to make a statement, or for larger terrorist groups that seek to debilitate a culture or community, psychologically and physically, through fear and damage. Therefore, sporting events drive the resilience point home – hard. The diverse methods of attack make it impossible to anticipate how an attack will be carried out, and therefore impossible to prevent it with a 100 per cent guarantee. Creating a resilient infrastructure for a sporting event is crucial.

We must first identify how characteristics shift from a normal state of activity (‘business as usual’) to the state surrounding the preparation for, execution of, and recovery from a sporting event. We have typically understood this shift in the context of a move from a normal state to an emergency state.

This concept has been applied most effectively to supply-chain management, which is a critical component of successful crisis management. The ability to deliver resources to points of need is a strong indicator of effective crisis recovery. Characteristics change in the supply chain between the normal state (ie day-to-day operations) and the emergency state (unpredictable disruption or disaster). Understanding how and when these characteristics change enables us to create a more resilient supply-chain infrastructure that can be agile and will continue to operate in a crisis.

The table below outlines how key characteristics change from the normal state to the emergency state. Because an emergency is unpredictable, it is difficult to anticipate when the shift occurs.

Identifying how characteristics shift from the normal state to the emergency state informs how we can most effectively prepare for a sporting event, or the event state. The event state is a hybrid of the normal and emergency states (ie has shared characteristics of both) and falls in between. By understanding the shared characteristics, and when the shift from normal state to event state occurs, we can most effectively prepare for the event state and create a resilient infrastructure – and a resilient sporting event. The event state demonstrates that creating resiliency is not only important in the face of a disaster, but it is important for the efficient and effective functioning of day-to-day operations.

The characteristics that are shared between the normal state and event state are those that are known before the event occurs. For example, we know the location and timing of the event and we can apply traffic-pattern knowledge. We are able to anticipate the number of people who will attend and participate in the event, and we have a general sense of the role that weather will play. Additionally, in the normal and event states, we know the physical and cyber infrastructure upon which we are relying.

To prepare for the event state we must identify the key characteristics that change from the normal to event state. One advantage of the transition to the event state, as opposed to the emergency state, is that we know when the state changes. The purpose of security in the normal state is to ensure the function of the local population. As soon as preparations begin for the sporting event, the state begins to shift. Examples of the characteristics that shift are the number of law enforcement personnel focused on the event, the surge in people who will be attending the event, and how that surge affects commercial and public infrastructure. While we can anticipate the number of people, the important difference between the normal state and the event state is how quickly the surge happens and how the crowd control is managed.

One of the other salient characteristics of an event state, as it relates to a sporting event, is the game itself and how it affects resiliency. What we cannot anticipate is how the fans respond to the game – disagreement with refereeing decisions, winners, losers, other factors that can incite fan anger or boisterous behaviour that becomes unsafe and interferes with the experience of others. By understanding the characteristics that shift between the normal state and the event state, we identify the components of an event state that must be resilient.

How can we create resiliency? The official definition of the method laid out by the US Government’s Presidential Policy Directive 8 is: “Resilience refers to the ability to adapt to changing conditions and withstand and rapidly recover from disruption due to emergencies”. The goal is to produce a venue or operation that is able to absorb the impact of an interruption.

Planning for the event state

An organisation builds a resilient security system for an event by developing and executing activities that support prevention, protection, response and recovery.

Specifically, citizens/participants who are aware of their surroundings and the potential for disruption can inform local authorities of suspicious activity. In July 2010, the US Department of Homeland Security launched an effective public-awareness campaign – “If you see something, say something”. It is described by the Department as “a simple and effective programme to raise public awareness of indicators of terrorism and terrorism-related crime, and to emphasise the importance of reporting suspicious activity to the proper local law-enforcement authorities”. This campaign engages the public and asks ticketholders and attendees to take ownership of security. Public-communications networks are in place to detect a problem early on, and can protect citizens by arming them with information. We do not have to live in a state of paranoia, but it is our responsibility to live in a state of awareness.

The framework for the US Department of Homeland Security Community Resilience Task Force suggests that maintaining a level of pre-event preparedness is the key to success in a crisis. It states that “resilience must be ‘front-loaded’ into preparedness efforts, not seen as an afterthought following an event, when efforts to enhance resilience may be hampered by association with failure”. Exercising and training are valuable resilience tools. Conducting war games and tabletop exercises that simulate potential events and force stakeholders to think through how they would act and respond during a disruption is an effective way to build organisational resilience.

Imagine if the security approach to the London 2012 Olympics and Paralympics had been solely to prevent attacks, rather than maintaining resilience in the face of disruption. London, and other parts of the UK, would have become a police state. But the London 2012 Games were flawless, in a sense, because of the careful transition made from the normal to event state in the weeks leading up to the Olympic Games.

The UK’s Olympic and Paralympic Security Directorate (OSD) within the Home Office had to prioritise its security concerns. Planning for an event of this magnitude calls for everything to be connected, otherwise, as noted by Will Jennings and Martin Lodge in The Olympic Games: Coping with Risks and Crises at a Mega-Event, “an isolated disruption [could] have far-reaching effects across both the site and programme of events”. Access routes to and from Olympic sites overlapped with the OSD’s plans for evacuation. First-aid tents appeared at choice points throughout the city. The task was tremendous, but the OSD was successful. Certainly, previously constructed hardened infrastructure, such as the ‘Ring of Steel’, and experience with managing and responding to large events greatly enhanced the OSD’s ability to ensure a resilient and flawless event.

Normal to Emergency State

Characteristic	Commercial logistics (normal state)	Humanitarian logistics (emergency state)
Objective pursued	Minimisation of total logistic costs	Minimisation of human suffering
Knowledge of demand	Known with some certainty	Unknown and dynamic due to lack of information and access to the site
Decision-making structure	Structured interactions under control of a few decision-makers	None-structured interactions with influences of possibly hundreds of decision-makers
Periodicity and volume of logistic activities	Repetitive, relatively steady flows, “large” volumes	Once-in-a-lifetime events, large pulse of flow, relatively “small” volumes
State of supporting systems (eg transportation)	Stable and functional	Impacted and dynamically changed

Last-minute security concerns

The only major disappointment was regarding contracted private security staff. Some 10,000 contracted private security did not meet the need of the 31 venues, and were considered between four and 35 per cent off-target. London planners took executive action and ordered additional military personnel to serve.

Deploying active duty military had three effects: increasing the overall competency and skillset of the security staff; increasing the confidence of attendees in the event security; and acting as a deterrent for individuals or groups who may have tried to exploit flawed security. The planners filled the gaps and met the demands of a comprehensive security strategy.

What are the primary concerns in the event state? We know that our physical infrastructure is highly dependent upon our cyber infrastructure, but cyber security is often neglected or minimally addressed, even though it is now the foundation of event operations and planning.

In a sporting event, the cyber infrastructure controls critical components, such as match clocks, timing for races, and rapid, real-time calculations revealing which athlete or team is winning, or who won, and it manages the financial infrastructure of the vendors. Hacking in to this infrastructure could have widespread consequences – some of which may even go unnoticed. And, as we continue to be reminded, cyber infrastructure is being compromised more frequently and with a greater level of severity, debilitation and destruction than ever before.

The critical role of cyber security

The challenges to crime being executed through cyber outlets are that it is anonymous and it can be done from anywhere. The logistical obstacles around cyber crime are minimal to the offender – unlike the obstacles an individual who has a bomb must overcome to execute his or her task. Additionally, the comprehensive impact to a state of a cyber attack can be far greater than a physical event.

Earlier this year, a computer virus called Shamoon attacked the Saudi Arabian oil company, ARAMCO (and the Qatar energy company, Ras Gas, a few days later). What was alarming about this attack was that the virus took data and intellectual property and damaged the 30,000 computers it infected. The United States Secretary of Defence, Leon Panetta, said the Shamoon virus was “probably the most destructive attack the private sector has seen to date”. Attacks on the US financial sector this year reflect an ability to affect more users at a much higher speed. Globally, we are seeing a rapid and threatening evolution of the cyber threat.

How do we combat this growing threat? We must acknowledge how dependent we are on cyber infrastructure and focus on making our systems, companies, and industries more resilient. Not enough companies and institutions understand the threat of cyber attacks and not enough of them are investing in cyber security and creating resilient infrastructure. A well-orchestrated attack could take down a company, an industry, or an event – without warning.

We are experiencing a series of cyber attacks that continue to escalate in severity and we are failing to take steps to harden our normal infrastructure, never mind the temporary networks created for large sports events. The motivations behind a cyber attack could be ideological, financial, or to affect the outcome of the event – but the reason is not as important as the understanding that cyber attacks on a sporting event could be the easiest attack to execute and could cause a high level of disruption. We must develop baseline standards to protect our most critical infrastructure and ensure its resiliency against basic and sophisticated attacks.

One of the most effective ways to create resiliency is to develop redundancy. A sports complex – and hosted events – should have complete redundancy for its entire critical cyber infrastructure, and a comprehensive security strategy for a sporting event must include a cyber-security plan that includes redundant cyber infrastructure.

The importance of being prepared

Few people apart from those involved in the operations of the Salt Lake City Winter Olympics knew about the security compromise because of how well prepared and coordinated the key stakeholders were.

The suspect pleaded guilty to detonating the bomb at the Utah Power terminal substation, because he was angry with his employer. The Utah Olympic Public Safety Command (UOPSC) participated in a group that staffed a 24/7 operation in the Olympic Operations Centre and coordinated infrastructure support from regional cities, counties and the private sector. The team had ensured that redundancy was built in, and the unprecedented level of close coordination ensured a quick response with minimal power disruption – and awareness of others.

Building resilience into event security ensures that the venue and community can recover quickly after a disruption. In the case of sporting events, pre-disaster preparedness must be established and maintained so that when the normal state transitions to the event state, those responsible for the execution of the event are prepared for any hazard with which they are confronted. However, it is also important to recognise that resiliency should be integrated into all functions because it is critical for daily operations, not just to respond to news-making disasters.

The focus is not on eliminating adversity. Countries all over the world have suffered unpredictable disasters and disruptions; we will never be able to eradicate the causes – natural, deliberate or accidental. A resilient system is created by outcome-driven strategies that, like London’s call for reinforcements and Salt Lake’s pre-event preparedness and coordination, meet the variable demands of the event state, and ensure and maintain a stable and functioning community.

Kiersten Todt Coon is the President and CEO of Liberty Group Ventures, LLC and is a former Professional Staff Member on the US Senate Committee on Homeland Security and Governmental Affairs.

Banks Seek U.S. Help on Iran Cyberattacks (Wall Street Journal)

By SIOBHAN GORMAN and DANNY YADRON

Major U.S. banks are pressing for government action to block or squelch what Washington officials say is an intensifying Iranian campaign of cyberattacks against American financial institutions.

Financial firms have spent millions of dollars responding to the attacks, according to bank officials, who add that they can’t be expected to fend off attacks from a foreign government.

Defense officials have said Iran’s government is behind the assault. Officials from several affected banks, including PNC Financial Services Group Inc., SunTrust Banks Inc. and BB&T Corp. , are urging the U.S. government to stop or mitigate the attacks, according to investigators.

The outcry is particularly significant from an industry that usually seeks to keep the government at arm’s length. Financial-services groups opposed a legislative effort last year to establish cybersecurity standards for key private-sector businesses, saying it could undermine protections already in place.

“The financial sector has historically been so sophisticated and organized in its security approach,” said Kiersten Todt Coon, a former staff member on the Senate Homeland Security and Governmental Affairs Committee and now president of Liberty Group Ventures LLC, a risk-management firm. “When they choose to go to the government, that shows how strong the severity of this threat is.”

The Iranian government “categorically denies” any involvement in the attacks, said Alireza Miryousefi, spokesman for Iran’s mission to the United Nations. “The malicious, false allegations against Iran are aimed at demonizing Iran and provide the excuse for further actions,” he added. Tehran has complained to the U.N. about foreign cyberattacks against Iran.

U.S. officials have been weighing options, including whether to retaliate against Iran, officials say. The topic was discussed at a high-level White House meeting a few weeks ago, a U.S. official said, adding, “All options are on the table.”

U.S. officials believe they have some time to assess options, because the assaults haven’t escalated to the destruction or manipulation of bank data, the official said. But the affected banks, seeing an unending assault that is soaking up profits and undermining consumer confidence, say the problem is urgent. “We’d like them to act,” one bank official said.

The incidents are believed to have begun early last year as unusually potent “denial-of-service” strikes on Bank of America Corp. , investigators say. Such attacks aim to knock an organization offline by bombarding its website with electronic requests. Because of the complex execution of these high-end denial-of-service attacks, it was difficult to immediately defend against it, a telecom-industry specialist said.

The hacking network surfaced again over the summer, attacking oil and gas companies in the Persian Gulf.

In September, the group turned back to U.S. banks. The next month, Defense Secretary Leon Panetta warned the perpetrators to cease, but the U.S. government hasn’t acted to put a stop to the attacks.

Initially, the assaults on individual banks were announced by hackers in advance. But lately, they have targeted multiple banks simultaneously without specific warning. The attacks have affected most of the top dozen U.S. banks, investigators and bank officials say.

The group’s most recent Internet announcement boasted its resiliency. “Despite the high cost of U.S. banks to deal with these attacks, the attacks cannot go under control and are unstoppable,” the group wrote on Jan. 8.

The hackers are using a network of tens of thousands of infected computers running corporate websites, investigators say. The attacks are considered more difficult to stop because they are coming from computers that could have legitimate reasons to communicate with the banks, said one bank official. Roughly half of those computers are overseas and out of the reach of U.S. law enforcement.

Bank representatives have discussed the attacks with officials from a range of U.S. agencies, including the White House, National Security Agency, Federal Bureau of Investigation, Department of Homeland Security, and Treasury Department.

Treasury officials held a series of meetings with individual bank representatives in December to ensure that all parties were working from the same set of information about the attacks, an investigator said. The FBI has been providing updates and warnings to banks of impending attacks as it continues an investigation. In some cases, U.S. officials have visited banks to assess their data, the investigator said.

A number of affected banks would like the government to either block the attacks or take down the network of computers mounting them, bank officials said. Other options for government action include complaining through diplomatic channels and counterattacks, said industry officials familiar with the investigation.

The U.S. government also could work with Internet providers to block traffic coming from computers in Iran tied to the network, a former U.S. official said.

Overall the financial services industry is still split over whether Washington should take on a more forceful role.

Last month, financial services executives, regulators and officials from the departments of Treasury and Homeland Security officials gathered at a meeting in the Washington suburbs to discuss the latest round of attacks. Some argued that U.S. government should go after the hackers, while others cautioned that offensive action could lead to retaliation, additional attacks against the banks, or unforeseen consequences, said one security executive who attended the meeting.

Most of the banks declined to comment. PNC, which has acknowledged the attacks, referred to its statement to customers that the bank “has taken steps to block this [attack] traffic and maintain online and mobile banking access for the vast majority of its customers.” A SunTrust spokesman said the company wouldn’t comment “on security-related matters.”

An Obama administration official said the U.S. government has been “a very active partner” in working with the private sector. The Treasury Department, National Security Agency and Federal Bureau of Investigation either declined to comment or referred questions elsewhere.