Risk Management for U.S. State Department Securing U.S. Missions Overseas

Transcription

1 March 14, 2014 Risk Management for U.S. State Department Securing U.S. Missions Overseas Being on the front lines of U.S. national security has always been inherently risky; however, we strive to mitigate this risk to the maximum extent possible (DS) advances American interests and foreign policy We do this by maintaining a security program that includes analyzing threats, managing the security situation, and mitigating risks. Gregory B. Starr, Acting Assistant Secretary for Diplomatic Security, Bureau of Diplomatic Security Statement to the Senate Foreign Relations Committee, July 16, 2013 Introduction American diplomats have faced threats overseas since before the formation of the United States. For example, when John Adams sailed on board the Continental Navy frigate Boston in 1778, he faced the threat of trans- Atlantic travel, as well as the threat from His Majesty s Royal Navy, eager to capture or sink a colonial vessel. Nevertheless, our Founding Father faced the risk unflinchingly. Eventually, Adams secured the recognition, and the credit, of our burgeoning nation at The Hague in Those negotiations proved vital to the American cause, and the risk Adams faced was ultimately proven to be justified. Today, U.S. Diplomatic efforts overseas are just as important, but understanding the risk, and mitigating that risk intelligently, has never been so complex or so challenging. The modern international threat landscape, as reported in the U.S. media, can seem confusing and overwhelming, especially in an era of Expeditionary Diplomacy. While risk to diplomatic efforts is manageable, it is no longer enough simply to be reactive, or to rely on the lessons learned of past events. Diplomatic efforts in complex environments must focus security resources on proactive solutions, realtime situational awareness, and crisis and continuity preparedness. Moreover, a clear and documented enterprise risk management program, that is understood and embraced by all of State Department security professionals, diplomats, and the foreign officers alike is required. Risk Management the Panel determined that there is no formal risk management model in place for use by either DS or the Department Where risk management is not mainstreamed and understood by program and security managers across an organization, security is seen as an impediment to mission accomplishment rather than as an operational enabler. A risk management model makes it possible for an organization to identify security measures and resources required to achieve mission objectives and then determine the level of risk it is willing to accept to accomplish those objectives. 1 A quick Internet search will illustrate that there are numerous risk management models utilized within the security profession. Nevertheless, most models contain the following four general steps: Identify Risk; Prioritize Risk; Implement Countermeasures; and Measure Results. The models are usually visualized as a circle, as there is a cyclical nature to a methodology that is always looking for the new or emerging risk. Identify Risk Measure Results Prioritize Risk Implement Countermeasures 1 Report of The Independent Panel on Best Practices, Washington, DC, 29, August,

2 However, our online search would also show that the term risk is often not clearly defined or understood. So first, we must answer the question: What is Risk? First, risk can take many shapes, not just what some might often think, i.e., physical security risk. Risk can also relate to human capital, information, resiliency, and reputation/public relations, among many others. Second, risk is generally defined as a function of threat arrayed against vulnerabilities. In addition, most well developed risk assessment systems incorporate additional sophisticated variables, particularly the notion of criticality of a person, place or thing in a system of systems. Therefore, for our purposes here, risk is defined as: vulnerability include location, accessibility, adequacy of security, and availability, periodicity, or duration of the potential target. Therefore, a robust risk management program will identify and prioritize risk understanding the underlying issues of criticality, threat, and vulnerability and then move to mitigate the risk through countermeasures. Countermeasures are actions, devices, systems, or capabilities deployed to reduce or mitigate risk. Implementing countermeasures will generally attempt to affect either a threat (offensive) or a vulnerability (defensive) in order to reduce the overall risk score. Risk = Criticality x Threat x Vulnerability Criticality: The U.S. Department of Homeland Security defines criticality as, a systematic approach to identify and evaluate important or critical assets. Criticality assessments help planners determine the relative importance of assets, helping to prioritize the allocation of resources to the most critical assets. Threat: A threat assessment is a systematic effort to identify and evaluate existing or potential threats to a person, place or thing and its associated components. Due to the difficulty in assessing threat capabilities, intentions, and triggers, threat assessments often yield only general information and can lack details such as timing or the specific target. Threat assessments are compiled from comprehensive and rigorous research and analysis. These assessments consider the full spectrum of threats such as natural disasters, disease, criminal activity, political violence, and insider compromise. Vulnerability: A vulnerability assessment is the identification of weaknesses in physical structures, personnel protection systems, processes, or other areas that may be intentionally or unintentionally exploited by potential threats. Vulnerability is difficult to measure objectively. Factors to consider when determining Risk Mitigation It is important to note that no risk management program is a risk elimination program no matter how many countermeasures are applied, there will always be a residual risk, as risk never simply goes away. If we consider operating in complex environments, the goal of a well-developed and well-executed risk management program is to reduce the residual risk to an acceptable level, always weighted against the cost in terms of time, resources, dollars, and/or energy of the necessary countermeasures. To continue to operate under difficult circumstances in an age of Expeditionary Diplomacy, there will always have to be a degree of risk acceptance based on this cost-benefit analysis process. U.S. State Department personnel who volunteer to operate in austere and complex environments implicitly accept that there may be risk to their physical safety. Those individuals rely on the dedicated security professionals of the Bureau of Diplomatic Security 2

3 to reduce that risk to an acceptable level. In order to accomplish this goal, there must be a clear and uniform risk management system, with a common lexicon, that all of State Department understands and embraces. TorchStone Page believes that any good risk management program should begin with a foundation of solid intelligence, so that threats are discovered and identified. The remainder of this paper will discuss two potential intelligence solutions that help to identify threat, and hence risk. Enhanced Intelligence for Risk Management Intelligence Within A review of relevant documents confirmed that the intelligence community did not possess intelligence indicating planning or intentions for an attack on the Benghazi facility on or about September 11, Engaged local security workers--whether directly employed by the government or through a contractor- -can be an intelligence goldmine at U.S. missions overseas. When effectively developed, local staff can become a primary source feed delivering real-time, accurate, and insightful information regarding local opinions, attitudes, and even activities. Under thoughtful management, locally employed workers can even act as an early warning system to shifts in public opinion that could have adverse consequences for the U.S. State Department operating in unstable environments. In order for such an intelligence asset to bear fruit, first, the relationship must be one of mutual respect, dignity, and trust. Second, there must be an esprit de corps and a sense of being part of something larger than self among the employees. However, such loyalty the kind that will stand and fight in the face of grave danger can only be developed over time via team building, training, health care initiatives, and ongoing cultural sensitivity. To start, competitive financial remuneration levels certainly can assist with promoting loyalty in the early stages of employment. Money cannot be the end of the process, but employees that develop a vested interest in the continuing operation of their workplace are far more likely to provide advance warning of any intelligence that will protect their own livelihood. The importance of delivering developmental training should not be overlooked when fostering relationships with the local workforce. Over the last decade, the team behind TorchStone Page has found that investment in the employee, via training, is greatly appreciated by local staff and forges a strong bond. As those bonds mature, new communication and intelligence channels are opened as a return on investment (ROI). Beyond that, it is a mutually beneficial process: The employee gains new skills, performs better in his/her primary function, shares information readily, and develops a more loyal stance to the employer; and the employer has a security team that is loyal and will be more likely to act decisively in the face of adversity. Social Media Monitoring The [SSCI] Committee urges the DNI and the State Department to conduct a review of the types of intelligence products that INR 1 prepares and to look for ways to make INR s products more timely and responsive to world events, especially those that directly affect State Department personnel. 3 2 Interim Progress Report for the Members of the House Republican Conference on the Events Surrounding the September Terrorist Attacks in Benghazi, Libya. 3 U.S. Senate Select Committee on Intelligence Review of the Terrorist Attacks on U.S. Facilities in Benghazi, Libya, September 11-12, 2012, January 15,

4 In an age of self-publication 140 characters per Tweet via Twitter social media has become a big data source of real-time open source intelligence (OSINT). Smart phones have become ubiquitous not only in the West, but also in emerging and developing regions. The consequences of this fact are two numerous to mention here, and the potential ripple effects are still yet unknown. Nevertheless, as the world saw in the Arab Spring and its aftermath, Twitter, Facebook, Instagram, and other social media platforms can be used for mass communication, as well as coordination of operations, and even command and control purposes. The end result of such mobilization can be a violent and out-ofcontrol protest outside a U.S. Embassy, as was seen in Egypt in September of An incident that seemed to come out of nowhere, and yet, was orchestrated via social media. TorchStone Page, on behalf of private sector clients, has been searching for years for a social media monitoring technology that can provide advanced warning. Unfortunately, most of the highly touted software we have evaluated does little more than tell you what has already happened. At most, these software companies attempt to use analysts to search for trends in the historical data, and then, make predictions based on trending analysis. However, new solutions can now provide the actionable and protective intelligence our clients need to secure their people, facilities, and assets in the midst of real-time events. We believe that PathAR has developed a new generation social media technology that goes far beyond monitoring. The below image shows PathAR s software applied to recent labor strikes in Morocco, but more importantly, it depicts the strong operational links of those groups to local radical jihadists. TorchStone Page recognizes the increasing value that providers like PathAR bring to the development of intelligence, the identification of emerging and new threats, and hence, the important role to be played in a comprehensive risk management program. 4

5 Conclusion We can never truly eliminate all the risks facing our dedicated personnel working overseas to advance U.S. interests. However, as the Department has said, we place the highest priority on the security of our personnel and will continue to take steps, which in some instances includes extraordinary measures, to provide for their safety. 4 In a time of Expeditionary Diplomacy, the State Department finds itself representing the United States in failing and failed states, and in recently toppled states with new and uncertain governments. In recent years, State has even found itself absorbing transitional responsibilities from the U.S Department of Defense in Iraq and Afghanistan. If that is the mission of the State Department, then the mission of the Bureau of Diplomatic Security is to everywhere, ensure that the State Department can carry out its foreign policy missions safely and securely. 5 TorchStone Page believes that a robust, well-developed, and widely embraced risk management program across all of State is absolutely necessary for both of these missions to succeed. Moreover, at the heart of that risk management program should be innovative intelligence technology, services, and solutions. Delivering superior security services through improved intelligence and local engagement. David T. Niccolini Managing Director Washington, DC David@TorchStonePageInc.com Mobile: Jeffrey S. Riner Senior Consultant Washington, DC JRiner@TorchStonePageInc.com Mobile: James J. Devenney Operations Manager London JDevenney@TorchStonePageInc.com Mobile: + 44 (0) Bill Miller, Deputy Assistant Secretary of High Threat Posts, Bureau of Diplomatic Security, Statement to the Senate Foreign Relations Committee, July 16,