2nd Secure Trade in the Asia Pacific Region (STAR) Conference
Vina Del Mar, Chile, 05 March 2004
I thought it might be useful or valuable to give you some examples of the kinds of work we have been asked to undertake to a greater degree these past couple of years. First, there has been plenty of demand for Vulnerability Assessments, Security Audits and Threat Assessments. These requirements have originated from government mandates or through the ordinary due diligence of responsible public or private administrators. Our clients have been governmental and commercial entities from around the world.
Of all of these clients the best ones, and by best I don't mean the ones who spent the most, I mean the ones that we considered the smartest and most reasonable, were the ones that came to us and said, "Hey Jane's, I feel that the current global security environment indicates that I should be doing something. I'm not sure what, but something." These people have rightly identified a new major threat that may have an impact on their area of responsibility, whether that is some aspect of critical national infrastructure, or multinational business operations. They are looking for an accurate threat assessment to determine to what degree they are directly affected, or indirectly affected through impact on their customers or the people they serve. These clients recognize that the threat needs to be analyzed accurately before identifying how to respond. In fact, they understand that appropriate response is based on good intelligence. They are beginning their process by asking a consultant to give them intelligence or threat motives and capabilities and how those will impact their operations. To defend everything against all possible threats is generally beyond the financial means of most organizations and is certainly not fiscal responsibility for commercial entities.
The other type of client that has come to us under the guise of needing vulnerability assessments, security audits or threat assessments is the one that already has a large new budget earmarked for physical security enhancements and wants our help allocating their funds appropriately. The problem with this situation is that it has been predetermined that the appropriate response is new cameras, lights, fencing and so on. Why? One reason is that the person responsible for security on a daily basis is probably not a strategic thinker and his world is largely focused on the mechanics of physical security. He is probably the one who interacts with the vendors who try to sell him all of the neat new kit that are the symbolic icons of security. When an event happens that tells the executive that the threat environment has changed, he goes to this manager who responds with a wish list of technology enhancements, or in some cases manpower requests. The manager is happy because he has newer and more equipment. The executive who allocates the funds is happy because the new equipment serves as visible evidence of response - therefore he can claim due diligence. But in this situation, there has been a fundamental failure to apply response to threat. The allocation of security funds has not been fully reasoned. The methodology is not evidence of due diligence; the response is more one of gross negligence. Unfortunately, this situation is far too common. There is also a twist to this situation, where the threat assessment is undertaken by the same organization that provides the security solution. The conflict of interest is obvious, but the occurrence still common.
There are two lessons here. The first is quickness or proclivity to adopt technology as a solution is often a mistake. The second is the quickness to act before collecting adequate information or intelligence will likely lead to misallocation of resources.
On the first point, security technology; there will be billions of dollars spent globally in the coming years on security technology; but what is a more staggering number is the percentage of this expenditure that will ultimately be proven to be a waste.
Why do we pursue technology? I have already indicated that it is a quick fix for the appearance of due diligence. But the real reasons are different. First, we pursue technology to do things that we cannot do. Second, we pursue technology to do things more safely than we currently do them. Third, we pursue technology as a solution because it is less expensive. It is rare that technology is the only solution or required for safety. So that leaves us with this idea of expense. By expense I mean labor costs. If you can picture a scale: on one end is technology and on the other is manpower. In a country where you have expensive labor and an educated or techno savvy workforce, you are inclined to emphasize technology to do most of the work. On the other end of the scale, you have inexpensive labor where one emphasizes manpower to do the tasks. Technology here - Manpower there. The objectives are the same; say for instance prevent transshipment of illicit cargo, but the methodology for meeting that objective is different.
There is one other reason for technology - reduce the instances of human error. When technology is an absolute solution, say biometric identity verification at immigrations, it is difficult to find a reason not to adopt it. But when the solution is far from absolute, like with x-raying which is usually reliant on human interpretation the manpower solution still may be adequate. The issue of success or failure in both cases usually reduces to one of training; both methodologies are can be equally effective.
It must be recognized that in many countries the preferred job can be that of a customs inspector. The competition for these posts is as great as it is for acceptance to the finest universities. The reason is, of course, money via the accepted process of bribery. In these countries, the adoption of new security measures, whether technology based or otherwise, will not change what ultimately gets moved by these customs officials. In this case, it is the integrity of the government that is at fault. Regardless of what treaty is signed, what technology is applied, how much staff is hired. The lack of systemic integrity should preclude any other nation from relying on a reasonable contribution to the security of international trade by the nation in question.
This really gets to the heart of the issue. At the end of the day, one can only rely on one's own government to protect its borders. This means substantial increase in transaction costs as a result of the greater security for the movement of goods internationally by each country. If we could rely on one another to maintain a certain level of security with respect to trade, we wouldn't have to replicate so many inspection processes.
A second lesson learned that I mentioned as a result of the many security assessments we have done over the past couple of years was the intelligence process.
But, before I get to the second issue of intelligence, I want to briefly describe other kinds of projects that have taken up a considerable amount of our consulting time over the past few years. We have been working in great detail with the insurance industry to help them forecast loss as a result of terrorist activity. On one hand, we have been detailing terrorist attack modes and the logistic burden necessary to carry them out. And on the other hand, we have been assessing the different levels of security found at facilities and the world to determine the characteristics typically found and to what degree they defeat the attack modes. There is a large amount of world-class talent that has gone into these models, talent in addition to Jane's. And although I cannot describe for you the exact algorithm upon which the models run, I can tell you that we review each conclusion, and where the algorithm is at variance with our collective analysis, the model is thoroughly reanalyzed. So what? Aside from the observations that the allocation of security funding is regularly determined by the model to be in disproportion to the threat, the lesson here is the emphasis on information or applied information - intelligence. The industry whose raison d'etre, whose success relies on accurate risk management, adopts very rigorous information/intelligence practices.
Also related to work in the insurance industry is the demand for PML - probable maximum loss analysis. This is essentially determining what the premium should be for a facility seeking terrorism insurance. This work is closely related to vulnerability assessments and security audits, but places a large emphasis on threat intelligence first, because without an understanding of the threat and its capabilities, one cannot adequately purpose security or analyze the quality of existing security.
The last broad area in which Jane's Consultancy has been focusing these past couple of years is international finance and business. Work in this area includes assisting the banking and investment community in determining where certain individuals or company's wealth comes from; determining the legitimately of business targeted for acquisition, trade or loans; and identifying front companies who are or may be facilitating technology transfer in violation of trade relations. This too is intelligence work in support of service trade. Although it would be wrong to characterize this as self-regulation, it is evidence of the recognized obligation of greater due diligence by industry in these areas.
Now, back to the intelligence lesson. Good intelligence is the basis of good and efficient security. In fact, if we had perfect intelligence we would pre-empt all events, security would involve merely rounding up the threats as they appear on our intel radar screen. But we don't have perfect intelligence, and never will. Similarly, we will never have perfect physical security. So, like many things the solution is a balanced mix of physical security procedures and intelligence (Physical security attacks the symptoms. Intelligence attacks the disease.) Moreover, the mix of intelligence and physical security may vary from country to country. Like my oil refinery example, there are countries that have well integrated intelligence sharing amongst the national government, local government and certain industries. You can envision a scale with great integrated intelligence on one end and total lack of coordinated intelligence on the other. The totally integrated one may look like a police state and the other is totally lawless. I'm not here to promote any particular political agenda; I merely recognize that there are various systems in the international community that may have a more capable domestic intelligence program. And the adoption of more rigorous domestic intelligence is certainly a trend in many countries.
So what has Baxter said?
- Intelligence is the basis for efficient and effective security.
- Technology is a measured solution. For some countries it is more important than others. In many cases the same level of security can be achieved without heavy technology investments.
- If a government does not maintain an honest institution it cannot be considered a reliable trade partner. The sincerity of a nation's commitment to secure trade begins at the top. It is a path a country must be led down.
- Perhaps a bit less obvious in my perception is the need to share more information/intelligence with our reliable trade partners. Intelligence on threats and best practices, success and failures.
- Finally, let me submit to you that there is another balance. On one end the traditional collective security agreement designed to protect states from one another. On the other hand you have the trade agreements designed to stabilize economic relationships. The most active threat today is probably less the state actor and more the transnational non-state actor. Their methodology is not to confront the armed forces; rather, it's to defeat the confidence in the economy and the freedom of trade and travel.
It may be that the future of collective security will be derived from the security provisions of trade agreements.