PJ Media asked Andy Jabbour, the co-founder and managing director of D.C.-area security firm Gate 15, to offer some thoughts on the current homeland security climate and how threats are being addressed at every level.
Jabbour served eight years as a U.S. Army field artillery and civil affairs officer with tours in Kosovo, Iraq and Afghanistan. For several years he led contract support to planning, training and exercise projects and supported various national incidents for the Department of Homeland Security’s Office of Infrastructure Protection, as well as leading projects at the Department of Defense, the U.S. Army Corps of Engineers and the U.S. Nuclear Regulatory Commission. Jabbour leads Gate 15’s risk management and critical infrastructure operations with a focus on information sharing, threat analysis, operational support and preparedness activities.
Q: You work with a variety of threats, domestic and international. Which security scenario should be a greater focus of training among government and private entities?
A: So, the quick answer is that regarding physical security, the threat of hostile events broadly — low-tech terrorism, active shooters, workplace violence, etc. — is something that needs to be an area of focus for all organizations. What that means varies from organization to organization, but it’s thinking through the threat broadly and being ready for it both operationally in response as well as in terms of workforce education, messaging, resilience and other areas. On the cybersecurity side, it can seem overwhelming for many as they hear about scams, malware, identity theft, Internet of Things, etc. I think many organizations need to really just focus on fundamentals and general preparedness for potential cyber disruptions. That means basic blocking and tackling type stuff, like having plans and procedures in place, threat awareness/staff education programs and simple exercises. The Federal Trade Commission just put out new resources for small businesses and there are plenty of others as well. At the user level, being aware of the general types of scams and tactics that may be used is probably the right level to focus on for most organizations right now, and build from there.
Q: What is the general prevalence of unaddressed security vulnerabilities, including physical or cyber attacks, at government and private entities?
A: It’s hard to say that across the board – every organization does things differently. In physical security issues, a lack of appreciation as to the threats, risks and potential impacts, combined with a lack of time and resources, leaves a lot of neglected areas. In cybersecurity, some organizations are great and very proactive but a lot aren’t, for a number of reasons. For some, trying to apply patches during certain periods is a risk they consider bigger than the risk of an attacker capitalizing on that exposure. That leaves them vulnerable, but by their risk calculation it’s a chance they’ll take.
As kids, we all grew up doing fire drills. Schools assessed that while unlikely, the potential disaster of kids being trapped in a school that was experiencing a serious fire was too big to not prepare for. So, we ran fire drills. As adults, we need to take the same approach to our organizations. Fire drills are still important, but so are other response exercises – hostile events, responding to a ransomware threat, anticipating seasonal weather issues – those threats that are assessed as serious risks need to be addressed.
You can’t do everything – no one can – so focus on fundamentals. When you address hostile events, you cover the same fundamentals needed for responding to active shooters, explosives, workplace violence and simple acts of terrorism. In cybersecurity, having basic incident response procedures will help an organization address the immediate crisis, but of course additional expertise may be needed depending on what the situation is. In both physical and cybersecurity, and for pandemics and other threats – it is great to have detailed protocols but sometimes those may cover the 10-20 percent left unanswered by a basic response plan. In most cases, you’re going to settle for the 80 percent solution and accept that a lot of it is going to be adjusting to the reality of events on the ground. Your plan is almost never going to be based on the exact situation you find yourself in. Not in war, not in a fight, not in incident response.
Q: Six years ago, the U.S. government ditched the color-coded terror alert system for a National Terrorism Advisory System. Do entities feel more or less confused about the current state of alert under the colorless system?
A: I love this topic! When I was supporting DHS we had numerous discussions revolving around HSAS and the colors and caveats. The need to improve that system was clear. But NTAS has been a fumble. It’s not that it’s more confusing, it’s that it’s useless. It took a long time to try and apply it and when it was introduced, in some ways it ran counter to the way it was intended. Neither specific or really time-constrained, it isn’t telling anyone anything nor driving anyone to respond in any way. For the public, it’s useless. Run a poll and see how many people even recognize the term “NTAS.” When you assess an exercise or real incident response, planning and communications almost always come up as areas that can be improved. With our threat levels, we need to develop ways to communicate threats clearly and effectively. Sadly, it becomes a political game and a bit of cover-your-bottom – no one wants to reduce a threat level and then have an attack the next day. The Bush administration sort of took on a “never again” attitude after 9/11 and Obama didn’t do much to change that. That doesn’t help the public mentally prepare for the reality that terrorism will occur. But people get it. We’ve sadly had a number of incidents that have shown that – while absolutely tragic and devastating for the victims and their communities, the rest of America, and the many other nations that have been hit much harder — we go on. We mourn, but we’re not going to let some deranged extremists frustrate our way of life. We’re resilient. Our communications on threats should respect that, and leaders should be brave enough to accept they may get it wrong sometimes, because bad things happen.
Q: With such a range of hostile events facing government and companies, which scenarios pique the concern of these entities the most right now?
A: Well, its funny, if that’s not a horrible way to say it: More broadly, everyone is antsy about cybersecurity because it’s faster, less understood and we’re on our devices non-stop. When Netflix doesn’t work, we freak out. We probably don’t think nearly enough about the things that we know are coming and are going to be devastating – the hurricanes and the earthquakes (most people just have no idea what a massive West Coast or New Madrid earthquake is going to do when it comes – and its not an “if”). With hostile events, I think we’re moving in the right direction. While I encourage organizations to think of it more broadly, you see increasing investment of time and dollars in preparing businesses and government – military included – for active shooters. If you can respond to that well, you’re achieving the 80 percent I mentioned above. The other 20 percent– good to strive for, but you can pivot effectively from 80 percent. That’s the right thing to do and needs to continue. At a certain level, attacks become much bigger than a business can be expected to respond to – their response will be local, focusing on their people and facilities. Recognizing the threats, assessing the risks, the federal government has made a very smart investment via grants to fund local preparedness for what are called Complex Coordinated Terrorist Attacks. Think of what happened in Paris in November 2015. That is a tough situation and one that is hard to work through. DHS has invested in funding CCTA preparedness but is also doing a lot of other work to help enhance local communities’ abilities to respond to crises that may occur in their areas and across jurisdictional lines. That investment needs to be continued because honestly, that’s the nightmare scenario. The spectacular attack is always something extremists will aspire to but it’s hard to pull off. Six or eight guys with guns and bombs – that can be absolutely devastating in so many ways.
Q: Many threats that we see today are posted in open-source locations such as social media, understandably stoking fear of businesses, localities and residents. How do you filter down those vast threats to give entities a more targeted threat-preparation plan?
A: Well, there’s so much propaganda, I think we’re getting a little numb. At first, the videos and the kill lists were a little shock value. Increasingly, I think the public is tuned out and just takes it broadly as “crazies want to kill us – nothing new.” We encourage everyone to filter through all those threats – because it can seem overwhelming – and focus on the risks that can really impact their organizations and then spend a little time and effort planning and preparing for those. It’s a simple thought process: understand the threats, assess the risks, conduct appropriate preparedness and operations accordingly to reduce those risks to reasonable levels. You accept some risk, you get some insurance, and you go about your business. But, planning – and training and exercises – need to be thought of like insurance in that you don’t pay insurance once and stop. You pay it month in and month out, use it or not. Same thing with preparedness. It needs to be scheduled and recurring. Don’t check the block, do the right thing.
Develop plans, talk to your neighbors and local law enforcement, educate your personnel – be aware and ready for the type of threats you’re most likely going to see. The Islamic State’s “Just Terror” and al-Qaeda’s Inspire Guides and a lot of the other propaganda and encouragement continue to be the same basic thing – kill with simple attacks any way you can. Whether it ends up as a radicalized Muslim extremist or any other kind of extremist – or if it’s an angry employee or a disgruntled lover in an incident of workplace violence – for individuals and businesses, a lot of the planning and preparedness is going to be similar.
Q: Have the Russian campaign influence operations in the U.S. and Europe heightened local government and private entities’ concerns about cybersecurity, even attacks from nation-state actors?
A: Yes, and no. Government has been shifting to provide more resources and focus to cybersecurity for a while and that continues. At the local level, we’re seeing increased cyber threat awareness, resources and information sharing than we did just a few years ago. Fusion centers, for example, have come a long way and matured a lot since they got started and there are some sharp minds and hard workers trying to make them more effective. With businesses, also yes and no. Yes, more organizations are hiring personnel to focus on technology and security and that is needed. More and more are joining information-sharing communities and that is needed. We’re seeing more bug bounties and greater collaboration between manufacturers, researchers and users. But there is still a long way to go, in collaboration and in individual user awareness. Whether we’re talking about John Podesta or the recent Google Docs attack, the little things are still the ones that get us in trouble and businesses need to do more to educate and prepare their personnel. The good news is we’re learning. The way the Macron campaign prepared for and responded to their late-breaking election hacking news showed they understood the threat, assessed the risks and that lessons had been learned and applied. Leaders in businesses around the country are increasingly coming together to enhance their collective security and learning to work together, even while competing in business. And what isn’t as well seen but is certainly happening – there are some really incredible and talented people fighting the cyber fight every hour, every day. Unsung heroes really who are working constantly and frantically so you, me and everyone else can safely shop, eat, stream and waste time playing with our new apps. But (!) I’m not sure Johnny is paying attention. Johnny still really wants to click that link…