Threat assessments are documents provided by the government so that contractors can know who is out to get, destroy, copy, compromise, or resell their cleared projects. In the past, these threat assessments were to be updated ‘regularly’, which generally meant every three years or so. Nowadays, we seek updates more often than that, particularly because we live in a shape-shifting environment. Computer threats, for instance, change so often that sometimes a system bought six months ago is out of date. Plan accordingly. When we say this to cleared personnel, it is important to realize that threats come in many ways, demanding reassessments not only for new dangers on the horizon, but old threats found to be employed in new ways.
Let’s see what that means.
Try to Protect Everything All the Time – Protect Nothing
We can’t protect everything, all the time. A great Chinese philosopher once said, ‘If you try to protect everywhere, you will be weak everywhere.’ The concept of forcing an adversary to defend everywhere has worked in history. For example, Vietnamese communists planned their final assault on the Republic of South Vietnam by a North Vietnamese regular army’s invasion, assisted by a general uprising of their Viet Cong irregulars. While the armored and infantry units of North Vietnam drove in a conventional attack, their southern Viet Cong irregular allies caused chaos behind the South Vietnamese lines. The Viet Cong disrupted enemy supply lines, destroyed bridges, blew up ammunition and supply depots, and ambushed reinforcements sent to confront the North Vietnamese invasion. The South Vietnamese couldn’t protect everything, and when they tried, they weakened themselves in other areas.
Employ Traditional Means in New Ways
Another truism about threats deals with new ways to employ traditional means. Consider that Hitler’s German Wehrmacht army was not the most well financed, heavily gunned, or even most numerous force in Europe. It was because the Germans discovered a new way to employ massed tanks, as a concentrated armored point to a shaft of massive infantry, employed in a new, unanticipated way, that made the Blitzkrieg the stunning success it became.
Applications for Security Officers
So if we are facility security officers, what must we know about our threat landscape? We must have a reasonable idea of who our adversary is. Are they smart, patient, and cunning? Or, conversely, are they blunt and known? Mostly, we don’t really know, but can only infer from methods previously determined. We are at our best, though, when we rightly determine how our adversaries’ capabilities might be employed to their best effect. We need to think like they do. We need to try to anticipate how they might work against our classified programs.
Concentrate Your Security Investment
As we review our threat data, we must know where to concentrate our investment in security countermeasures. This is often straightforward in modern industry. We hire the latest, most experienced talent on the computer market. These experts come with plenty of situational awareness of potential threats as well as those written up, since they’ve often been doing this since childhood. The question we have to ask ourselves is, are they prepared to defeat the threats against you today? Can they read a threat document, and determine where we are weakest? Will they be able to anticipate a threat that might only be inferred by the data available? These are questions which any interview of prospective security officers, technicians, and specialists must address. We want someone not only familiar with past methods, but potential future threats as well.
An example might help here, too. A NATO security manager called his government advisor to sit in on a threat brief by a security salesman trying to sell security gear, facility protection products, and camera systems. The briefing the salesman gave was dark and foreboding, suggesting that a recent terrorist attack was but the tip of a future terror iceberg. Upon completion, he presented a panoply of cameras, physical barriers, lights, dog-chains, and watchtowers for purchase consideration. These would be to prevent such terror from occurring.
The source of his data? His inferences? Oh, he murmured, “This is close hold.” “Is the information classified?” “No,” he responded,”…but sensitive.”
He was thanked and sent on his way. Today’s threats are numerous, but unless there is a substantive foundation to what they actually are, we will be throwing good money after bad, fearing everything. How to identify the real threats? We can do so through case studies. These we study and learn through inferences based on known uses of an adversaries’ capabilities, and inferences based on known motives of an adversary to use those capabilities for future actions. A good threat assessment can tell you who has sought your data or product. A good intelligence officer can interpret what that data means for your investments to protect them. No system is foolproof. But when we understand motive, capability, and available means to commit an act against cleared programs, we’re in a better position to stop them.
