Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

Libya

Benghazi Hearing Demonstrates Attack Uncovered A Fatal Lack of Coordination & Funding for Embassy Security

Just two weeks ago, we were talking about the lack of coordination between DHS agencies and known intelligence on the brothers responsible.

Now we have the Benghazi Senate hearings, and here is the same problem again – lack of coordination between different parts of the State Department, and with the Defense Department, AND with the CIA and the intelligence community.

Add to this, the appalling cuts in funding for diplomatic security, and a flawed process about what needs to be done about security and protection to our embassies around the world.

“In these tight budget times, the committee has had to make some tough choices to prioritize funding.”, said a GOP aide in The Hill article (GOP cuts to embassy security draw scrutiny), by Alexander Bolton on September 18, 2012.   In spite of the uncertainly of the Arab Spring, the demonstrations every Friday in streets from Bahrain to Tunesia, the embassies had their budgets cut.

Of course, security experts are used to this, security doesn’t directly generate revenue, and it is often one of the first functions on the chopping block.  However, to cut funding to the critical embassy functions in this volatile environment, is obviously a very bad decision on the part of the GOP.

For example, the security risk assessment which are routinely done on these embassies are not done on a systematic basis.  As a risk expert, these security risk assessments should be done WEEKLY, and they should be automated so they can instantly be compared to environments in other embassies, and comparisons made by month, by year, and trends can be tracked.

If we can’t afford to do these assessments and just as important, if we can’t afford to fix the problems that assessments reveal, then we should not have embassies in these places.

The security risk assessments that are done properly must also include complete threat assessments.  “We need to develop a paradigm for managing risk“, said Gregory Hicks, a Foreign Service Officer who testified today on Capitol Hill.

These paradigms for managing risk already exist and they have been totally ignored by the State Department, which makes it almost impossible to get a clear, unfiltered view of the security situation at any embassy, at any point in time.

At least both sides of the political aisle agree, we do not want this to happen again!  Benghazi is not a political problem, it is a massive security failure problem!

 



What do Benghazi and Newtown have in common? Flawed Security!

After the attack on the Benghazi mission and the tragic mass shooting at Sandy Hook Elementary, its apparent that what these two terrible incidents have in common is that security was not adequate.

In Benghazi, after the hearings and the pundits and speculation, the bottom line is that there was insufficient security.  In-place security controls were not sufficient to deter an attack, and the emergency controls were also not sufficient to recover and deal with the emergency attack.

In Newtown, at Sandy Hook Elementary, security was inadequate.  Security people often say that security is just as good as the weakest link, and despite adding new security controls, it was defeated because of the glass entry.  The shooter wasn’t allowed in so he simply broke the glass.  That slowed him up by 2 minutes, maybe. Also backup security controls were non-existent.  The shooter was observed and still there was no effective response.

There are three elements to security – DETER, DENY and RESPOND:

DETER – means to make the facility look too difficult to attack, and so the attacker thinks it’s too hard and goes away.

DENY – means that it is impossible for the attacker to get into the facility to launch an attack.

RESPOND/PROTECT means that after the attack is launched, the facility can defend itself, or to protect the individuals and/or property inside the facility.
Both Benghazi and Newtown did not deter, didn’t deny access, and didn’t have an adequate security response.

The Newtown shooting showed that this school, like many others across the country, had a false sense of security, because while some security elements were in place, the shooter easily entered the school, making the other elements irrelevant and  him to inflict mass casualties.

In both cases, the response was not adequate, it was ‘too little too late’.  And ‘too late’ means the attack can’t be stopped or contained.

The WHY is easy, because the security budget was inadequate.  These facilities did not have adequate risk assessments that could have demonstrated the critical assets contained within them.  What is more critical than classrooms of 6 year old children?  What is more critical than a State department facility with a U.S. ambassador inside?  Yet both didn’t have the protective security controls they deserved because their wasn’t enough budget for enough security.

Another element these incidents have in common is that they are both government facilities.  Yes, one was the Federal government and one was a local school district – but they both had the same problem of being short on budgets.  And when organizations are short on budgets, security is one of the first things to get their funding cut, or reduced.

Every facility needs a SECURITY risk assessment up front, how else can you allocate the funding and make sure that there is ENOUGH security in place to protect our most critical assets, our children?



Why the State Department Needs Better Threat-Risk Assessments

Obviously, the tragedy in Libya this week focused the world’s attention, not just on the bodies of our countrymen returning home, but made me wonder about the risk assessments and threat assessments that are routinely done in these extremely sensitive locations.

Unfortunately, the threat assessments tend to be more political forecasting and less about the reality of the situation on the ground.  One problem with these simple manual threat/risk assessments is that they take too long to complete.  Maybe they spend a few days looking at the physical controls, and then a week writing up a report, and much of it may rely on anecdotal incidents or reports of questionable value.

That’s why I am a believer in automating these threat/risk assessments, and in a potentially dangerous area like the whole country of Libya, they should be at least weekly, or bi-weekly, or even daily when tensions are running high.  It allows you to get a quick assessment in less than 30 minutes, and allows for quick updating, which is critical in situations like this week.

And no, I don’t believe a threat/risk assessment would necessarily PREVENT a terrible tragedy like the death of an American Ambassador, but I do think that having these updated assessments allows for safeguards to be continuously checked, measured and improved, and also may expose weaknesses that can be exploited by a terrorist group when the opportunity presents itself.

The practice of running continual assessments is not used very often, but when it is, it’s very effective because when the situation goes south, you already the blueprint of what to do right in front of you, and it allows better decision support under such stressful conditions.

The information-sharing done by different groups can be wrapped up in the risk assessment and combined, so that maybe a higher threat condition can be identified, in time to relocate, leave the country, or whatever else it takes to protect the lives of our diplomatic staff.

 




top