March 1st, 2013

Security strategy has evolved since 11 September 2001, from a focus on prevention to a wider consideration of resilience. This approach has particular relevance to mega sporting events, where the ability to recover from disruption and complete the event is both important and time-sensitive. Kiersten Todt Coon discusses the value of resilience during major events.

On the final day of the Winter Olympics, an explosive device is detonated at a critical power substation for the statewide power company in close proximity to the international airport. The blast causes widespread power outages and sparks a fire at a nearby oil refinery, raising fears of terrorism. It knocks out power to 30,000 people.

How does this incident affect the Games? Do they need to be cancelled? What could have been done to prevent or mitigate the attack?

This event actually occurred on the final day of the 2002 Winter Olympic Games in Salt Lake City, but it barely made the local news, let alone national or international outlets. Why?

Following the attacks of 11 September 2001, the United States vowed that such an event would “never again” take place on its soil. I served in the US Senate during and after 9/11 and was on the team that drafted the legislation to create the Department of Homeland Security. As we developed each component of the Department, a primary question we asked was how could we prevent another attack, and what could be done to ensure this tragedy or something like it never happened again.

However, there has been a shift in thinking since 9/11. While prevention will always be important, it sets us up for failure because it is impossible to prevent every attack from occurring. The focus of security and crisis managers is now – and should remain – on response, recovery and resilience. We no longer question whether attacks, disasters, crises – whatever term we choose to define damage – will occur, but when. And when they do, how resilient are we? How quickly can we bounce back?

The Department of Homeland Security defines several “events of national significance”, or National Special Security Events (NSSE), that require the development and implementation of security operations. These range from presidential inaugurations to public funerals. They draw a large audience and are often covered live by broadcast media. These events are the ones for which we prepare with knowledge about most of the event components, but they are vulnerable because they are high-profile events and, therefore, attractive to an individual or group wishing to make a statement, or to embarrass a community or country.

To understand how to respond and recover from a disaster that affects a special event, we must understand what kind of incidents are being considered. Post 9/11, we focused almost exclusively on terrorist attacks, but we now know that the most efficient and effective use of resources is to build a security template that protects against hazards of all kinds, natural and man-made. In 2005, Hurricane Katrina demonstrated how an exclusive focus on tackling terrorism was a spectacular mistake.

Creating a resilient infrastructure

Sporting events can be targets for lone wolves who want to make a statement, or for larger terrorist groups that seek to debilitate a culture or community, psychologically and physically, through fear and damage. Therefore, sporting events drive the resilience point home – hard. The diverse methods of attack make it impossible to anticipate how an attack will be carried out, and therefore impossible to prevent it with a 100 per cent guarantee. Creating a resilient infrastructure for a sporting event is crucial.

We must first identify how characteristics shift from a normal state of activity (‘business as usual’) to the state surrounding the preparation for, execution of, and recovery from a sporting event. We have typically understood this shift in the context of a move from a normal state to an emergency state.

This concept has been applied most effectively to supply-chain management, which is a critical component of successful crisis management. The ability to deliver resources to points of need is a strong indicator of effective crisis recovery. Characteristics change in the supply chain between the normal state (ie day-to-day operations) and the emergency state (unpredictable disruption or disaster). Understanding how and when these characteristics change enables us to create a more resilient supply-chain infrastructure that can be agile and will continue to operate in a crisis.

The table below outlines how key characteristics change from the normal state to the emergency state. Because an emergency is unpredictable, it is difficult to anticipate when the shift occurs.

Identifying how characteristics shift from the normal state to the emergency state informs how we can most effectively prepare for a sporting event, or the event state. The event state is a hybrid of the normal and emergency states (ie has shared characteristics of both) and falls in between. By understanding the shared characteristics, and when the shift from normal state to event state occurs, we can most effectively prepare for the event state and create a resilient infrastructure – and a resilient sporting event. The event state demonstrates that creating resiliency is not only important in the face of a disaster, but it is important for the efficient and effective functioning of day-to-day operations.

The characteristics that are shared between the normal state and event state are those that are known before the event occurs. For example, we know the location and timing of the event and we can apply traffic-pattern knowledge. We are able to anticipate the number of people who will attend and participate in the event, and we have a general sense of the role that weather will play. Additionally, in the normal and event states, we know the physical and cyber infrastructure upon which we are relying.

To prepare for the event state we must identify the key characteristics that change from the normal to event state. One advantage of the transition to the event state, as opposed to the emergency state, is that we know when the state changes. The purpose of security in the normal state is to ensure the function of the local population. As soon as preparations begin for the sporting event, the state begins to shift. Examples of the characteristics that shift are the number of law enforcement personnel focused on the event, the surge in people who will be attending the event, and how that surge affects commercial and public infrastructure. While we can anticipate the number of people, the important difference between the normal state and the event state is how quickly the surge happens and how the crowd control is managed.

One of the other salient characteristics of an event state, as it relates to a sporting event, is the game itself and how it affects resiliency. What we cannot anticipate is how the fans respond to the game – disagreement with refereeing decisions, winners, losers, other factors that can incite fan anger or boisterous behaviour that becomes unsafe and interferes with the experience of others. By understanding the characteristics that shift between the normal state and the event state, we identify the components of an event state that must be resilient.

How can we create resiliency? The official definition of the method laid out by the US Government’s Presidential Policy Directive 8 is: “Resilience refers to the ability to adapt to changing conditions and withstand and rapidly recover from disruption due to emergencies”. The goal is to produce a venue or operation that is able to absorb the impact of an interruption.

Planning for the event state

An organisation builds a resilient security system for an event by developing and executing activities that support prevention, protection, response and recovery.

Specifically, citizens/participants who are aware of their surroundings and the potential for disruption can inform local authorities of suspicious activity. In July 2010, the US Department of Homeland Security launched an effective public-awareness campaign – “If you see something, say something”. It is described by the Department as “a simple and effective programme to raise public awareness of indicators of terrorism and terrorism-related crime, and to emphasise the importance of reporting suspicious activity to the proper local law-enforcement authorities”. This campaign engages the public and asks ticketholders and attendees to take ownership of security. Public-communications networks are in place to detect a problem early on, and can protect citizens by arming them with information. We do not have to live in a state of paranoia, but it is our responsibility to live in a state of awareness.

The framework for the US Department of Homeland Security Community Resilience Task Force suggests that maintaining a level of pre-event preparedness is the key to success in a crisis. It states that “resilience must be ‘front-loaded’ into preparedness efforts, not seen as an afterthought following an event, when efforts to enhance resilience may be hampered by association with failure”. Exercising and training are valuable resilience tools. Conducting war games and tabletop exercises that simulate potential events and force stakeholders to think through how they would act and respond during a disruption is an effective way to build organisational resilience.

Imagine if the security approach to the London 2012 Olympics and Paralympics had been solely to prevent attacks, rather than maintaining resilience in the face of disruption. London, and other parts of the UK, would have become a police state. But the London 2012 Games were flawless, in a sense, because of the careful transition made from the normal to event state in the weeks leading up to the Olympic Games.

The UK’s Olympic and Paralympic Security Directorate (OSD) within the Home Office had to prioritise its security concerns. Planning for an event of this magnitude calls for everything to be connected, otherwise, as noted by Will Jennings and Martin Lodge in The Olympic Games: Coping with Risks and Crises at a Mega-Event, “an isolated disruption [could] have far-reaching effects across both the site and programme of events”. Access routes to and from Olympic sites overlapped with the OSD’s plans for evacuation. First-aid tents appeared at choice points throughout the city. The task was tremendous, but the OSD was successful. Certainly, previously constructed hardened infrastructure, such as the ‘Ring of Steel’, and experience with managing and responding to large events greatly enhanced the OSD’s ability to ensure a resilient and flawless event.

Normal to Emergency State

CharacteristicCommercial logistics (normal state)Humanitarian logistics (emergency state)
Objective pursuedMinimisation of total logistic costsMinimisation of human suffering
Knowledge of demandKnown with some certaintyUnknown and dynamic due to lack of information and access to the site
Decision-making structureStructured interactions under control of a few decision-makersNone-structured interactions with influences of possibly hundreds of decision-makers
Periodicity and volume of logistic activitiesRepetitive, relatively steady flows, “large” volumesOnce-in-a-lifetime events, large pulse of flow, relatively “small” volumes
State of supporting systems (eg transportation)Stable and functionalImpacted and dynamically changed

Last-minute security concerns

The only major disappointment was regarding contracted private security staff. Some 10,000 contracted private security did not meet the need of the 31 venues, and were considered between four and 35 per cent off-target. London planners took executive action and ordered additional military personnel to serve.

Deploying active duty military had three effects: increasing the overall competency and skillset of the security staff; increasing the confidence of attendees in the event security; and acting as a deterrent for individuals or groups who may have tried to exploit flawed security. The planners filled the gaps and met the demands of a comprehensive security strategy.

What are the primary concerns in the event state? We know that our physical infrastructure is highly dependent upon our cyber infrastructure, but cyber security is often neglected or minimally addressed, even though it is now the foundation of event operations and planning.

In a sporting event, the cyber infrastructure controls critical components, such as match clocks, timing for races, and rapid, real-time calculations revealing which athlete or team is winning, or who won, and it manages the financial infrastructure of the vendors. Hacking in to this infrastructure could have widespread consequences – some of which may even go unnoticed. And, as we continue to be reminded, cyber infrastructure is being compromised more frequently and with a greater level of severity, debilitation and destruction than ever before.

The critical role of cyber security

The challenges to crime being executed through cyber outlets are that it is anonymous and it can be done from anywhere. The logistical obstacles around cyber crime are minimal to the offender – unlike the obstacles an individual who has a bomb must overcome to execute his or her task. Additionally, the comprehensive impact to a state of a cyber attack can be far greater than a physical event.

Earlier this year, a computer virus called Shamoon attacked the Saudi Arabian oil company, ARAMCO (and the Qatar energy company, Ras Gas, a few days later). What was alarming about this attack was that the virus took data and intellectual property and damaged the 30,000 computers it infected. The United States Secretary of Defence, Leon Panetta, said the Shamoon virus was “probably the most destructive attack the private sector has seen to date”. Attacks on the US financial sector this year reflect an ability to affect more users at a much higher speed. Globally, we are seeing a rapid and threatening evolution of the cyber threat.

How do we combat this growing threat? We must acknowledge how dependent we are on cyber infrastructure and focus on making our systems, companies, and industries more resilient. Not enough companies and institutions understand the threat of cyber attacks and not enough of them are investing in cyber security and creating resilient infrastructure. A well-orchestrated attack could take down a company, an industry, or an event – without warning.

We are experiencing a series of cyber attacks that continue to escalate in severity and we are failing to take steps to harden our normal infrastructure, never mind the temporary networks created for large sports events. The motivations behind a cyber attack could be ideological, financial, or to affect the outcome of the event – but the reason is not as important as the understanding that cyber attacks on a sporting event could be the easiest attack to execute and could cause a high level of disruption. We must develop baseline standards to protect our most critical infrastructure and ensure its resiliency against basic and sophisticated attacks.

One of the most effective ways to create resiliency is to develop redundancy. A sports complex – and hosted events – should have complete redundancy for its entire critical cyber infrastructure, and a comprehensive security strategy for a sporting event must include a cyber-security plan that includes redundant cyber infrastructure.

The importance of being prepared

Few people apart from those involved in the operations of the Salt Lake City Winter Olympics knew about the security compromise because of how well prepared and coordinated the key stakeholders were.

The suspect pleaded guilty to detonating the bomb at the Utah Power terminal substation, because he was angry with his employer. The Utah Olympic Public Safety Command (UOPSC) participated in a group that staffed a 24/7 operation in the Olympic Operations Centre and coordinated infrastructure support from regional cities, counties and the private sector. The team had ensured that redundancy was built in, and the unprecedented level of close coordination ensured a quick response with minimal power disruption – and awareness of others.

Building resilience into event security ensures that the venue and community can recover quickly after a disruption. In the case of sporting events, pre-disaster preparedness must be established and maintained so that when the normal state transitions to the event state, those responsible for the execution of the event are prepared for any hazard with which they are confronted. However, it is also important to recognise that resiliency should be integrated into all functions because it is critical for daily operations, not just to respond to news-making disasters.

The focus is not on eliminating adversity. Countries all over the world have suffered unpredictable disasters and disruptions; we will never be able to eradicate the causes – natural, deliberate or accidental. A resilient system is created by outcome-driven strategies that, like London’s call for reinforcements and Salt Lake’s pre-event preparedness and coordination, meet the variable demands of the event state, and ensure and maintain a stable and functioning community.

Kiersten Todt Coon is the President and CEO of Liberty Group Ventures, LLC and is a former Professional Staff Member on the US Senate Committee on Homeland Security and Governmental Affairs.