What can we, who protect classified programs, do to prevent disasters in our agencies or companies? We follow with shock and marvel at the calamity which happened at Uvalde. There, a mass murder took lives in the circumstances of a virtual Shakespearean tragedy.
Prevention
Prevention is the goal to be pursued by any competent staff. If, we, as staff security personnel plan properly, and implement corrections to identified concerns, we will have done the best we can. With so much training available today, there is virtually no excuse for not being aware of what we should do, or need to have available. One of the main conclusions to come from one assessment of that epic fiasco at Uvalde was there was no anti-rifle shield for those officials coming into the shooter’s location. A training exercise conducted before the incident even identified the need for such protection. None was available when the attack occurred. None, that is, until at last Border Patrol officers arrived with such a shield, and the shooter was overcome. Let’s look at some of the simplest ways we can prepare ourselves.
Training
Conduct the training necessary to respond to insider threats, hostage situations, to theft. The government used to send red teams out to sites, to conduct training exercises to determine how a local facility would deal with these concerns. Did the facility know what personnel were needed? Where were the local bomb squads, a locally trained hostage negotiator? If needed, how could a swat team be accessed? Many such questions were addressed during the exercise.
Report
In the classified world, we must concern ourselves with so much more these days. We must be aware of cyber attacks, which in the past were not of concern at all. Today, they are paramount threats. Today, agencies should have trained cyber specialists on hand, not only as subject matter experts, but also as someone familiar with the local, state, and federal agencies that can be called upon for backup. A recent assessment noted a concern even among those well-versed in such support.
One federal agency required a report of an incident (anomaly) within eight hours of identification. Indeed, another required a report within 72 hours. Exercises, even a simple, actual walk-through of such incidents, would have identified such concerns and they could be reconciled before an incident occurred. Professionals could discuss these apparent paradoxes, and reconcile the solution were the event to be real. Likewise, the destruction of classifieds must be studied. One American embassy in Africa had no such plan, and its classified was found floating around the countryside when the embassy was overrun in a local uprising. Cold War-era thermite grenades might be available, but the prepared security staff needs to know how they work and who is designated to implement destruction.
Plan Ahead
Any planning needs to identify who will act, and under what circumstances. Periodic reviews are needed. If we are aware of say, Russian computer theft, these days we know they like to set ‘time bombs’ on compromised computers. That is, they access computers, place malware inside, and then wait for the worst (for us) moment to strike. Computer experts should be on hand to test periodically to verify we have not been compromised.
What are the protocols for response if you are located overseas? Many know how Soviet firemen responded to flames at the U.S. embassy in Moscow. We know they weren’t all firemen. Compromise of our classified information was a factor to be considered. How much preparation, and what type of preparedness, must each location make? We see from this example that all preparation is not the same.
Understand the need
We Americans, seeking efficiency, always try to standardize our responses. Yet here in the Moscow fire example, we see how what happens in a closed, hostile environment in one country is not the same as similar preparations as in, say, Ottawa. This illustrates another issue that would flow from this consideration. We need the buy-in of our facility leadership to ensure we prepare for our office or facility specifically, not as a generic response. It does no one much good to send someone to generalized training if they can’t prepare for events unique to where they physically are as well. A generalist will be able to know broadly what needs to be done, not specifically what happens right where he is. Of course, as Uvalde shows, if we know something is needed on site, then we must have leadership’s authority to get the anti-rifle shield, for example. Otherwise, why have the training at all?
In the end, use the military maxim modified for your own cleared programs. Know how you can move (have the appropriate people), shoot (perform your mission), and communicate in emergencies. Your preparation time will be well spent. It might be what saves lives, not just classified information.
