The past week in the US has been particularly difficult as we go through the aftermath of a couple more shooting incidents, which tops off a "cluster" year of incidents. While much could be said about the gun control debate, the deficiency of mental health care in the US, and the psychology of these shooters, I am not going to spend any time on that here. Rather, I want to talk about how we can apply a modern infosec mindset to public safety, which is, after all, really the point of many of those debates. Apologies in advance for this being a rather long post. Hopefully you'll find it thoughtful and worthwhile.
Risk Management 101
Before getting into the core points, I want to first level-set. The following principles are important to understand and accept:
1) There will always be threats and threat actors.
2) We cannot harden the world against everything.
3) Given 1 & 2, there will always be risk.
In addition to these principals, it's also important to understand the difference in a couple risk management strategies. Consistently, human nature seems to sprint to a "zero sum" mentality with the objective being to eliminate all threats or weaknesses. Unfortunately, this is a logical fallacy, and a fatal trap. We cannot even know all threats and vulnerabilities, and thus there's no way to eliminate them all.
Instead, it is imperative that we adopt a different strategy based on the principals of resiliency and survivability. While these strategies will necessarily include opportunities to reduce threats and weaknesses, they will also put a premium on detection of, and rapid response to, various incidents. Overall, our public safety strategy will benefit from learning this lesson, which we're still only starting to grasp in mainstream infosec. Prevention and correction are great tools toward helping prepare ourselves, but we cannot do so at the expense of other types of readiness that lead to more effective detection of incidents and the limitation of the magnitude of losses associated with incidents.
Hardening Environments
As just noted, there absolutely is an appropriate place in prevention, such as through hardening environments. One of the key shifts in thinking that has occurred over the past 20 years is from expecting a hostage type situation to an "active shooter" type situation. When your assumption is that the perpetrator does not primarily intend to harm others, then your approach can be more passive. However, if your assumption shifts to assuming that the primary objective of a perpetrator is to cause as much harm as possible, then you need to balance your hardening accordingly.
In infosec, we've seen this shift as well over the past 15+ years. In the late 90s we were really most concerned about opportunist defacers trying to "tag" our sites, but there wasn't too much concern about harm. However, as more and more sensitive data has moved online, so has the nature and focus of the attackers. We now must operate under the assumption that an attacker seeks to cause harm, either by denying us access to data or systems, or by compromising sensitive data.
So it also is with public safety. Columbine taught us that attackers may not be interested in hostages any more, and this startling reality has continued to play-out in ensuing incidents. Similarly, terrorists demonstrated this same shift with the 9/11 attacks, moving away from hostages to using the planes as missiles.
Given this shift in the public safety spectrum, we must also then think about how our hardening approaches change. With infosec, one of the key shifts was getting away from the "crunchy on the outside, gooey on the inside" mentality of relying on hardened perimeters without adequate internal security. And, today, we're even now starting to see increasingly articulate and well-founded arguments to take things a step further, allowing organizations to employee an "active defense" strategy that would potentially enable them to disable botted hosts being used in attacks, or taking down other offending servers (TBD on much of this - especially from a legal basis).
Back to public safety and the real world, we also likely need to see a shift in terms of how we harden our environments. Schools, for instance, cannot simply rely on maintaining locked doors (as the Newtown incident clearly demonstrated). We need to consider hardening these environments a bit more, but without turning them into bunkers, prisons, or reducing functionality. For example, many schools still use the "open layout" approach, meaning classrooms lack doors and other characteristics that would be helpful in a lockdown situation. Going forward, architects and planners must consider a possibility of an active shooter event at a facility and try to design it in such a way as to reduce the effectiveness of such an attack, while also providing mechanisms for rapidly detecting and responding to such an event.
That said... the point of diminishing returns will be quickly reached... after all, shopping malls can only be hardened so much because they are by nature public facilities intended for free access (during regular business hours). Checkpoints and security screening would likely be considered an unacceptable nuisance (not to mention having limited utility). Thus, we have to move beyond simple hardening, and on to other areas of practice.
Threat Management & Intelligence
An ounce of prevention is good, but any more than that can quickly become needlessly expensive. As such, it's also imperative to diversify approaches to include other capabilities. In this case, the addition of threat management and threat intelligence can be very valuable. In infosec, one of the key areas where we see these concepts working is through information sharing networks. The financial services sector has created a relatively mature information sharing network that has allowed it to better respond to various threats. Additionally, there are many services available that help businesses keep track of current and emerging threats and threat capabilities. These practices will never be perfect, but they are helpful.
Another area in infosec where threat intelligence comes into play is simply through monitoring and awareness. I'll talk more about general awareness below, but here let's look at internal monitoring and awareness here. Security Information and Event Management (SIEM) systems represent a potentially important intelligence collection point where businesses can bring together logs and alerts from multiple sources with an eye toward aggregation and correlation. The goal of bringing this data together is to help catch broader patterns before they result in major incidents.
Similar practices can also be applied in the public safety space, and in fact have been used for a while. Closed circuit video surveillance is one such example of a monitoring tool used toward threat management and intelligence. Similarly, local and regional law enforcement frequently offers training opportunities and information bulletins to help organizations stay appraised of the threat environment.
In the post-9/11 world we've also seen a push toward much more information sharing. Sometimes this has worked, and sometimes it hasn't, but that doesn't mean it's not a good idea or the right thing to do. FUSION centers have been established to serve in a capacity similar to our SIEM systems. You can debate their efficacy, but the foundational notion is solid, which is that information needs to be aggregated, correlated, and shared.
For schools, this can mean having better (video) surveillance around the facility to more quickly detect and alert on a threat, as well as providing other mechanisms for quickly reporting concerns. Through training and communication, all personnel could be trained to make use of this system, as well as to follow better situational awareness practices.
For public places like malls, they typically already have monitoring and response plans in place. The challenge is in making sure these practices are properly optimized without being unacceptably expensive.
In both cases, balancing benefit vs. cost will be key (something with which we in infosec are also intimately familiar). It's also important to again realize that this is only one piece of the overall puzzle, and that the objectives here are to improve prevention and detection capabilities toward reducing all loss events.
Sidebar: Limits to Governance and Similar Controls
Before continuing on, let's take a moment to also look at a key lesson from infosec as it pertains to governance (e.g., policies and policy enforcement). You can have all the rules in the world, but that doesn't mean criminals will follow them. Moreover, if enforcement is inconsistent or simply not done, then there will be even bigger gaps between intended coverage and actually effectiveness.
The reason I'm including this sidebar is to provide a word of caution. As we've seen over and over again in infosec, just because you have a policy prohibiting one thing, or requiring another, does not translate to immediate conformance. In fact, simply put, rules are nice, but they're difficult to enforce. To top things off, we've found that without the presence of negative consequences for holding people accountable, there's frequently little impetus for conforming to policies.
There will be much debate in the coming weeks and months, and a lot of it will focus on governance structures. However, governance is really for the law abiding, and not for the criminals. It is imperative when considering new governance structures that one also assume that a certain subset of the population won't conform. Toward that end, penalties must be specified and enforced. Moreover, the penalties must be severe enough to incentive conformance, or disincentive failure to conform.
Overall, policy can be an effective tool for communicating a desired approach, but it is not the end-all-be-all. Additionally, bad policies can have detrimental effect. Consider, for example, the now antiquated export restrictions on encryption software, which were typically circumvented by simply publishing the associated algorithms in academic journals. Or, consider the security researcher exception for the anti-circumvention clause in the DMCA. Or, consider what the negative impact would be of outright banning security tools, which have both positive and negative uses.
In public safety, we must also weigh these conversations accordingly. Sadly, I see a lot of obsession over tools, but without full consideration of or appreciation for the many positive use cases, as well as a lot of misunderstand and misinformation that overhypes the negative use cases. A friend commented over the weekend that ~44 people die each day (in the US) due to drunk driving, which is 100% preventable. However, policy decisions have been made that allow people to own and operate personal vehicles and that allow people to consume alcohol. It's notable that drunk driving incidents have, however, been successful reduced through using a range of alternative approaches. More draconian approach could be applied, but policymakers have chosen not to pursue those avenues. Such thinking shows the necessary tradeoff analysis that must be conducted when setting policies, combined with the sober realization that you simply cannot legislate away all bad things in life. We have, for the most part, learned this lesson in infosec, and have modified our approaches accordingly. We will continue to see these conversations evolve regarding public safety as well.
Back on track now...
Preparedness & Survivability
We've spoken about hardening environments and improving threat management & intelligence, but there's certainly more to be done. In infosec we have finally started to realize (in the mainstream) that the "zero sum" mentality is flawed, and that we will have to absorb security incidents. Accepting this reality is key in a few areas. First, it means realizing that there will continue to be loss events. Second, it means that we need to be prepared for dealing with these loss events. And, third, it means that our focus should not be exclusively on preventing loss events, but on optimizing survivability of these events.
Applying this notion to public safety, we must first come to grips with a sobering reality: we cannot prevent all loss-of-life or casualty events. It's simply not possible, regardless of the type of governance or values of society. Regardless of style of government, every country in the world deals with both accidental and intentionally loss of life. As such, we must realize that, while prevention is a laudable goal, it cannot lead to 100% prevention of bad things. We must, then, employ a different approach.
As such, there are a few things that are important for preparedness and survivability. Having reasonable lockdown procedures is a start, but it also means drilling and evaluating them. However, this is just a defensive measure. As discussed in the Hardening section above, we need to reevaluate how our facilities are designed to ensure that they account for an active shooter attack. Similarly, our procedures and drills must work off this assumption, and our personnel must be trained to respond appropriately to this kind of threat.
One idea that has been tossed about the past few days has been the notion of arming everyone (teachers, principals, etc.) in order to help protect schools. This is a rather silly notion based on the philosophy of projecting power. There's certainly a modicum of rationale in the idea, but overall it's unsupportable. Instead, a better idea is to focus on key full-time positions like office staff and school administrators to ensure that their training includes how to effectively deal with an active shooter. It may also mean going to the next step of providing principals, or specially designated onsite responders, with better tools, such as bullet-proof vests and less-than-lethal weapons (e.g., taser, shotgun with salt or bean bag load, etc.). Additionally, being prepared means being able to monitor for suspicious people and alerting the police calmly and efficiently while others confront the suspects (preferably with a degree of force).
Beyond this, we must also then look into how to ensure survivability. For example, many schools and malls are designed in a way that naturally breaks things up (classrooms, stores, etc.). In infosec we similarly try to segment our environments. Another aspect of this is to build in containment capabilities and strategies. For example, adding a non-alarmed trigger to release fire doors could provide better containment and cover, so long as the fire alarm itself is not triggered, which would then likely make things worse by triggering fire evacuation procedures, exposing everyone to an active threat.
The point here is this: focus on being ready for incidents in order to optimize survival. Don't give in to rigid governance structures that don't generalize well. Be flexible and adaptable, and build that into your overall survival strategy. Furthermore, boost preparedness so that you can shift from reactive to proactive, enabling a much better survival rate.
Situational Awareness
You're prepared. You're geared up for how to survive. Now you need to be aware. If you don't know what's going on around you, then you are S O L.
In infosec we have several random mantras that tell us that we need to measure, monitor, report on, etc, etc, etc. More importantly, we assess. A lot. Risk management cannot be very functional if you're not aware of your environment and if you're not testing various components. This is how we achieve awareness, among other things.
In the real world, public safety would be greatly improved if people would simply pay better attention to what's going on around them. This is not the same as calling for a cadre of amateur spies to inform on their neighbors. What it is saying is that you should have your eyes open, and always know where you are spatially in case you need to go into action following your response plan.
Situational awareness can be heightened through education, training, and regular communication on key areas of concern. Partnering with local law enforcement to discuss various common scenarios and to help refine plans is highly recommended.
I simply cannot stress enough the importance of situational awareness. If we all paid a little better attention, and then stepped up to take appropriate actions or responses when we saw things, then I believe society would function much better in general. This includes simple things like putting smartphones away while driving, looking at people when they're talking to you (body language can say a lot!), and so on.
In Closing...
There's much more that can be said on these topics. For example, I've mostly left out a discussion of "active defense," which is a hot topic in infosec right now. Concealed carry and training principals or specially designated responders to tactically engage an active shooter would, in my mind, qualify as being in the same category. Unfortunately, the laws surrounding an active defense strategy simply aren't adequately understood and refined today to make this feasible in infosec. In public safety, we would need to invest in training and outfitting personnel, or hiring and assigning specialized personnel, in order to follow-through on an active defense plan.
That said, there are some legitimate considerations around active defense. In almost all the recent cases, the attacker turned the gun on himself as soon as he was confronted with an opposing (armed) force. A little bit of armed resistance goes a long way (perhaps the thought in the minds of the Founding Fathers when writing the 2nd Amendment).
Also worth discussing, but at another time, is that of how to modify culture at large to foster healthier, more desirable behavior. Studies have shown repeatedly that playing violent video games (especially the latest ones that are very realistic) ends up increasing the natural aggressive response of gamers, as well as decreasing their natural reluctance to kill. On top of this, we (in the US) currently have a culture that glorifies warriors and aggressively promotes a warrior attitude and lifestyle. This can be healthy and useful for fitness training, for military training, for martial arts training, and for general well-being, but only if it's couched within a larger concept of treating people properly, respectfully, and putting a premium value on life. Unfortunately, our society seems to be consistently devaluing life; a perspective exacerbated by global wars of aggression, remote drone strikes that have killed children and civilians, and the increasingly militarized police forces in our local communities.
Resetting societal values is a daunting task, and something that will take much effort in education and awareness campaigns, as well as through governance changes. These are all things that we in infosec have been grappling with throughout our careers. There are many competing theories on how to change behavior in the workplace. Hopefully we can take some of these examples and expand them out to society at large.
Let us hope that all this craziness will now settle down, and that we can perhaps start improving as a society. Personally, I'm very concerned that this whole "Mayan apocalypse" nonsense (on 12/21/12) will still result in more insanity. Please maintain active situational awareness, be safe, and let's all have a happy holiday season to end the year!
