Security Strength Through Diversification

In November, I saw an interesting article on the Wired Danger Room national security blog: Top Pilot: Air Force Should Put Brakes on All-Stealth Arsenal. Stealth technology is obviously a critical asset, and in December they ran another good piece (7 Secret Ways America's Stealth Armada Stays Off the Radar) that explained some of the technical aspects of how stealth works in modern aircraft. I make note of the article not so much because of the aspect that it's getting at - a discussion of the types of aircraft in America's air forces - but rather, to illustrate a broader point about security.

Most folks have a pretty standardized vision of what security entails: guys with guns, concrete or chain link fences, barbed wire, and maybe high security doors. Of course, these can all be important aspects of security. However, security is best when it uses a layered, diverse approach that draws upon multiple disciplines, techniques, and technologies. In network security, this is referred to as defense in depth (a term and concept that's also used by the military). It's similar to the military doctrine of combined arms, which seeks to maximize military effectiveness by using multiple, complementary weapon systems.

In security operations, defense in depth can be achieved by combining what we usually think of - things like guard forces, barriers, and sensors - with other disciplines, like specialized security procedures, red teaming/penetration testing, and overlapping access controls. By overlapping security protocols, procedures, and equipment, the overall risk of security breaches can be mitigated. The likelihood of security failures increases When an organization relies too heavily on one security measure, or attempts to do security on the cheap - for example, relying only on procedures, or by providing authorized personnel with credentials without implementing measures to verify those credentials.

The steps for establishing good overall security are the same as the steps for OPSEC:

1. Identify Critical Information/Assets
2. Conduct Threat Analysis
3. Conduct Vulnerability Analysis
4. Assess Risk
5. Apply Countermeasures

A strong risk analysis is critical because it can help to ensure two things:

1. Gaps in security can be identified, addressed, and mitigated, potentially saving the organization from the costs incurred in a security breach. Security breaches can be expensive, both in financial costs and in damage to an organization's reputation or ability to conduct its operations. 2. A level of security commensurate with the threat to the organization can be established. This can also save costs, as it prevents overspending on security measures that are poorly suited to an organization's needs, or which exceed the threat posed by an adversary.

Combining a good risk assessment with defense in depth is the essence of the old adage, "An ounce of prevention equals a pound of cure".

More Ironic Music from IRIB

One of my first posts was about the Islamic Republic of Iran Broadcasting agency's use of the theme from The Delta Force in its nightly propaganda broadcast. A couple of weeks ago, I caught them at it again, but this time... Well, let's just say you'll be surprised.


For all of the Iranian government's nefarious dealings, and all of the IRIB's ridiculous claims on their nightly program, I'll at least give them credit: someone in their office has a sense of humor.

Ranger Up Presents: How to Get a Job

In early 2012, Ranger Up CEO Nick Palmisciano posted a series of four videos on YouTube to help veterans of Iraq and Afghanistan find work. Having worked as a hiring manager, and having fought tooth and nail to climb the professional ladder, I found these videos fascinating and entirely legitimate - I can't remember a single thing that Palmisciano said that I disagreed with. The thing is, the advice Palmisciano offers is potentially useful for anyone trying to get hired. As such, I figured I'd post them for the benefit of any readers for whom the content would be relevant.

Ranger Up Presents: How to Get a Job Part 1, The Approach


Ranger Up Presents: How to get a Job, Part 2, The Resume


Ranger Up Presents: How to Get a Job as a Vet, Part 3, Networking


Ranger Up Presents: How to get a job as a Veteran Part 4, The Interview


Another resource that some folks may find helpful is Your Resume Stinks! from the Manager Tools Podcast. I'll add a few more tips that I've run into as both an interviewer and an interviewee.

Answer questions honestly while being interviewed. I once interviewed a guy whose answer - twice - to the question, "What's your greatest weakness?", was "I don't have any weaknesses, I'm a really strong person." All three members of the interview panel voted unanimously not to hire him.

Limit name-drops. On that same interview, the applicant couldn't answer a single question (other than the one about his weaknesses) without reminding the panel that he'd been in the Army. Things like that are okay to mention once or twice, but you should expect that if you've been invited in for an interview in the first place, you should expect that the hiring manager is aware of your qualifications and experience.

It also helps to anticipate your competition, and that's a follow-on from the last item. Most of the resumes I received as a hiring manager were a dime a dozen, and I tended to interview and eventually hire folks who could offer something different. I've also usually been hired because I could offer my potential employer something different than my competition could.

Be smart about what information you volunteer about yourself, and this is another one that's mentioned by Palmisciano. One candidate informed me that he'd shot off his toe - I didn't care that he was missing a toe, I cared that he'd volunteered information that called his personal responsibility and attention to detail into question.

Know what job you're applying to. If a hiring manager is trying to fill a recquisition for a technical writer and they get three hundred resumes for forklift drivers, the forklift drivers aren't going to receive responses inviting them to come in for an interview.

That's it for today.

On Entrepeneurship and Officer Retention

I figured I'd post a couple of items that fascinated me when they were published during the course of the last couple of years.

First, as I've found myself in a very entrepeneurial mindset over the last year or so, I found How to Get a Real Education by Dilbert author Scott Adams to be fascinating. Adams discusses lessons in entrepeneurship and other topics that he learned in college through activities, vice actual coursework. When I was an undergrad, I found that many of my extracurricular activities taught me far more than many of my required courses. That goes for both practical and abstract lessons; for example, working as a DJ at the campus radio station offered me lessons in technical troubleshooting and keeping good records, as well as teaching me followership and cooperation with people with whom I had little in common. While Adams' points don't apply directly to security, I've found that security professionals often benefit from experience and methods that are found outside the classroom.

Second, Dr. Tim Kane authored an excellent article in The Atlantic, entitled Why Our Best Officers Are Leaving. The Heritage Foundation hosted a discussion on the topic. I found Dr. Kane's discussions of the standards by which we ought to be measuring our officers (and, by extension, our officer candidates) poignant. My own goal of becoming a naval officer ended in its infancy in part due to the Navy's standards, and I have known a number of my peers whose careers have either stagnated or ended due to the military's sometimes arbitrary standards for officer recruitment and retention. Dr. Kane's research raises questions about whether the current standards are best suited to produce and retain the best possible officer corps for our military. Both the article and the discussion are excellent.

That's it for today.

Time to Play Catch-Up

As followers of the Operation Highlander blog will already know, I've got quite a bit on my plate right now. That said, I'd like to start paying a bit more attention to this blog. Most of what I'm currently involved with on a daily basis doesn't apply directly to the major functional areas of risk management, but a lot of the news stories I follow for school or for my own situational awareness relate back to one functional area or another.

I've also found myself working on some cool projects in my spare time that can tie back into risk management. One of them was the Google Reader project I mentioned in my last post. Another has been manipulating the data in my GPS using Wikimapia, Easy GPS, and Windows Notepad. (I find that I rarely need anything more than a web browser, Notepad, and Microsoft Excel to complete most tasks.) The GPS work relates back to an article and slide deck I read a couple of years ago about honesty traces, which can be a great Anti-Terrorism/Force Protection technique.

Anyway, I've got a good backlog of links and topics for this blog, I've made an effort to get ahead on posts for the Operation Highlander blog, and I'm in good shape on my school and extracurricular projects, so I'll try to spend the next few weeks posting some content to this one. I hope everyone out there finds it helpful.

Google Reader for Situational Awareness

Note: This is a rewrite of a post on the Operation Highlander blog that was originally written for the benefit of my classmates.

One of the most critical elements of good security is situational awareness. Modern technology has made the collection of information about security concerns easier, but it can still be time-consuming, particularly when presented with the "vacuum cleaner problem": the abundance of information sometimes makes it difficult to sift through all of the data available to find what's relevant and discard what's irrelevant.

In the last year, I've become an avid user of Google Reader. Google Reader is an RSS aggregator. What that means is that you can plug the links from the RSS feeds of your favorite news websites, blogs, and personal interest sites, and they'll all aggregate to a single point. This allows users to go to a single website, and then either read their news in the Google Reader "reader pane", or open individual links for further detail. Here are a couple of videos to introduce you to Google Reader:





By using Google Reader, I'm able to cut my daily news review times down considerably. Google Reader makes it easy to scroll through articles that aren't of interest, and to read the ones that are relevant to my interests. It also allows me to download podcasts efficiently, and keeps me abreast of websites I might otherwise forget about. I know of at least one U.S. Coast Guard organization that uses Google Reader to aggregate open-source intelligence, I'm reasonably sure that I know of another DoD activity that does the same, and I suspect that the guys at Small Wars Journal use it or something similar when assembling their daily SWJ Roundup. Had I gotten on the ball sooner, Google Reader would have made me a lot more efficient at several of the duties I was tasked with in the Middle East. I can't speak to its accessibility on Apple devices, but I've had great results reviewing my feed on Android devices like my Motorola Droid 4 and my Kindle Fire.

Here's a list of some of the RSS feeds I aggregate to Google Reader so that I can maintain my situational awareness of global security developments:

Mainstream News:

BBC News - Middle East (RSS)

BBC News - NE Scotland, Orkney & Shetland (RSS)

CNN.com - WORLD (RSS)

CNN.com - WORLD/Middle East (RSS)

The Guardian (RSS)

Times Of Oman (RSS)

Oman Observer (RSS)

Kuwait Times (RSS)

Arab Times (RSS)

Specialty News and Blogs:

1913 Intel (RSS)

CNAS: Abu Muqawama (RSS)

CNN Security Clearance Blog (RSS)

Michael J. Totten (RSS)

Michael Yon (RSS)

Spacewar.com (RSS)

Site Intelligence Group - Jihadist News (RSS)

Small Wars Journal (RSS)

The Long War Journal (Site-Wide) (RSS)

Understanding War (RSS)

The Guardian: Julian Borger's global security blog (RSS)

Wired.com: Danger Room (RSS)

Wired.com: Threat Level (RSS)

Podcasts:

BBC Xtra Arabic Podcasts (RSS)

BBC Documentaries (RSS)

BBC Global News Podcast (RSS)

BBC Newshour (RSS)

KCL Department of War Studies' Podcast (RSS)

Past Events - The Heritage Foundation (RSS)

Military Flickr Feeds:

Flickr: Defence Images (RSS)

Flickr: Official U.S. Navy Imagery (RSS)

Flickr: The U.S. Army (RSS)

Flickr: United States Marine Corps Official Page (RSS)

A final point: Google Reader also allows users to export and import their feeds from one Google account to another through a simple XML file download/upload. If anyone reading this is interested in saving time by importing my feed file and then adding their own additional selections, let me know and I'll be happy to E-mail it to you.

Personal Security, Online and In Person

I apologize for the delay in posting over here. As anyone who's following the other blog will know, I've been busy in Scotland, getting settled into my postgraduate program in Strategic Studies as well as life in general in Scotland. Unfortunately, security never sleeps, and there have been a number of items, varying in degree of tragedy and severity, that merit mention.

Beginning with the most absurd: David Axe reports at Wired.com that Taliban agents are posing online as "attractive women". While most of us aren't concerned with Taliban infiltration on a daily basis, this story is a good reminder that people online aren't always who they say they are. It's also to keep in mind that there's a spectrum: on the one end, you Taliban posing as beautiful women, or Nigerian princes who want to give you money. On the other end, you may have something fairly benign: a potential suitor being disingenuous about their weight or age, perhaps. One of the more outlandish claims I've ever heard about Craigslist is that most of the supposedly attractive women posting there are actually homosexual men trying to con straight men into sending inappropriate pictures of themselves. I can't speak to the accuracy of that claim, but regardless, it's a good reminder to be careful of the information you share online.

A friend sent me the second item for today, from the National Association of Realtors: 10 Things a Burglar Doesn't Want You to Know. It has some great tips for securing your home - and, not surprisingly, the advice can help with more than just burglars. The NAR also has a home security website and an RSS feed. One item that's not included in the list: get a dog.

I intend to express some thoughts about the recent events in Benghazi, Libya and Camp Bastion/Leatherneck, Afghanistan, but it's important to me that I do this properly, something I don't have time to do currently. I'll address one or both of these events in the next post.

Resource Security and Risk Management

One of the current hot topics in international politics is resource security. Energy security - specifically fossil fuels - is the most extensively discussed flavor of the issue, but other areas of study include rare earth metals (used in many modern electronics) and even water. Some analysts predict wars revolving around scarce water resources within the foreseeable future.

A few days ago, I ran across this video...



... which reminded me of this podcast from the Department of War Studies at King's College London, which was published in late 2010. The two items provide valuably contrasting points on the topic.

Rare earth metals provide a good case study for some of these phenomena. For those readers who are unaware, rare earth metals are a range of heavy metals whose properties make them indispensable in the manufacture of modern electronics. While they are found in several locations, the vast bulk of rare earth metals are exploited from mines in China. In recent months, China has been accused of restricting rare earth metal exports. As these materials are critical not only for consumer electronics, but also for systems vital to international security, the potential decline in availability relative to demand could become a serious international issue, similar in many respects to the supply and sourcing of fossil fuels. The potential risk affects not only the price, but the actual international availability of the critical commodity in question.

At the same time, the increased risk to global supply makes the potential exploitation of other sources of rare earth metals more lucrative. For example, Japan reported a number of months ago that it had located a source of rare earths in the Pacific seabed - a source that has become lucrative enough to exploit due to the Chinese lockdown on their supplies. According to Wired, it has also compelled the Pentagon to research new ways to mine rare earth metals, and I've also heard (but unfortunately, don't remember the source) that technical experts are also researching methods of manufacturing modern electronics without rare earths.

Of course, the world is seldom so simple: for example, there are allegations that the rare earth mineral coltan has fueled a war in the Democratic Republic of Congo. Additionally, the the mining and refinement of rare earth metals is an ecologically hazardous process. This introducing environmental concerns as an additional limiting factor on sources outside of developing nations, in the same way that environmentalism has limited the use of both traditional fossil fuels and the proliferation of nuclear energy.

The lesson, of course, is that while the so-called "invisible hand" can impact the management of risk, even in matters of resource security, it is ultimately subordinate to human factors.

Maritime Risk Management

One of the growing markets in international risk management is maritime private security. A recent book on the topic is Maritime Private Security: Market responses to piracy, terrorism and waterborne security risks in the 21st century, edited by Claude Berube and Patrick Cullen. Berube and Cullen lectured on the topic at the Heritage Foundation in March. You can watch a video of the event or download the podcast here.

Although the rise of piracy in the vicinity of Somalia garners most of the current news attention, risk management professionals monitor security threats in a variety of other key areas. These include maritime bottlenecks such as the Straits of Gibraltar, Hormuz, and Malacca, and the Panama and Suez Canals. A July 2010 attack on a Japanese tanker in the Strait of Hormuz may have been linked to al Qaeda, and investigative journalist Richard Miniter has tied al Qaeda to several disrupted plots to attack shipping in the Strait of Malacca. Berube and Cullen's presentation goes into further detail on implications and strategies for maritime risk management efforts for the foreseeable future.

Using Comedy to Illustrate OPSEC

A few years ago, I attended the National Operational Security Conference. In one of the lectures I attended, the speaker played a clip from an old episode of Saturday Night Live that aired during the Persian Gulf War. You can read the transcript of that sketch here, and anyone who uses Netflix can view it online (Saturday Night Live: The 1990's, Season 16: Ep. 12 (Kevin Bacon)). It's a good illustration of the challenges faced by anyone whose job is to disseminate information to the public while protecting information that could be potentially damaging.

The military term for protecting critical information from exploitation by an enemy is Operational or Operations Security, or "OPSEC". The military goes to great lengths to train personnel of all stripes to protect information that could be useful to adversaries, and a legion of Public Affairs Officers are specially trained to provide relevant information to the public without divulging secrets that could jeopardize personnel or operations. In the corporate world, this is accomplished by strategic communications specialists. Although the military stakes are often higher, companies take the control of information very seriously. Improper disclosure of sensitive data about a corporation or other organization could encourage corporate espionage, or damage the public's perception. The same is true of the military, with the added risk of endangering the lives of personnel and the effectiveness of missions vital to national security.

The military uses the Five Step OPSEC Process as a tool to help protect sensitive information. The process is as follows:

1) Identify critical information
2) Threat analysis
3) Vulnerability analysis
4) Risk assessment
5) Implement OPSEC Measures

The best OPSEC principle I've ever heard is called "The New York Times Rule", or the "Karachi Corollary". When determining whether information should be protected or released, ask yourself: "Would I want this information to be published on the front page of the New York Times? What about on the screen in an Internet cafe in Karachi, Pakistan?" More often than not, the answer is "no".

As with any functional area of security, the best advice is to err on the side of caution. If you think that a piece of information could be useful to an adversary, it probably could be. Organizations with security concerns should do their best to promote a culture of awareness and caution.

Omani Terrorists?

I was shocked to see this article on Long War Journal as I was reviewing my RSS feeds this evening. One Omani terrorist is counterintuitive, as Omanis follow the moderate and tolerant Ibadhi sect; the idea of a group of Omani jihadists is almost beyond belief. I visited Oman earlier this year, and fell in love with the country and its people. To think that several of Oman's sons have dedicated themselves to jihad is tragic.

Camera Phones and Security

I tend to disagree with Andrew Exum a lot, but his recent op-ed is spot-on, and reflects one of my earlier posts about security and social media. The case of the American troops caught snapping pictures of themselves posing with dead Taliban is disconcerting, but the questions it raises about camera phones in combat are synonymous with the questions it raises about camera phones and both personal and organizational security. The implications are different for every person and every organization - for example, I probably don't have to worry as much about a stalker collecting information about me from pictures I post of myself online as would a hundred-pound cheerleader. In the business realm, a local flower shop will have less cause to hire a public affairs officer to clear the release of employees' camera phone photos than the Department of Defense. "Ex" is right: some of this will improve as policy makers retire and are replaced by a senior officer and NCO corps that understands technology - as "natives", to quote Ex. That said, I think an issue still stands, because whereas the retiring officer and NCO corps views security through a post-Cold War framework in which information required tight controls, but was also much easier to control. Today's young people come from a culture in which it's natural to share every detail, all the way down to the time and location of the restaurant that you've just "checked into". A greater understanding of technology and its capabilities (positive and negative) is important, but so is strong training on why some information is sensitive and worthy of protection. The same concept applies to individuals and private organizations.

A Victory for Afghan Security

Earlier this week, the Taliban staged what has been described by media sources as a daring raid. I'm of the mind that this gives undue credit to the Taliban, as high profile raids are no substitute for support from the populace and the military superiority required to stage militarily costly attacks on an enemy. The Taliban boasts neither widespread voluntary support from the Afghan population, nor the military capability to openly challenge ISAF or Afghan forces. Raids like the one that took place earlier this week serve no military purpose, and are purely designed to give the appearance of strength to those who don't know to read between the lines. Unfortunately, what high profile raids lack in military effectiveness, they more than make up for in propaganda value.

The security situation in Afghanistan isn't promising. Good news is scarce, and bad news is plentiful - like the latest example of troops behaving inappropriately with Afghan human remains. The aftermath of the raid produced some rare good news, because Afghan security forces in Kabul repulsed this latest attack with minimal support from their coalition partners. I doubt this is the paradigm shift that wins the war, but it's at least encouraging. It will take a lot more stories like this for this conflict to end in anything other than a protracted continuation of the conflict.

Ironically, this story comes in the wake of Russian concerns over NATO's stated 2014 withdrawal deadline. Russia's vocal concern is ironic, given that Russia has made no attempt to volunteer its support, and has actively complicated ISAF's efforts to establish redundant supply lines in Central Asia. Afghanistan's fate could have a greater direct impact on Russia's national security than on America's, which makes Russian statements and policies all the more ironic.

Timothy McVeigh and Terrorism

As I've continued my graduate school pre-readings, I've come across several mentions of the Oklahoma City Bombing and Timothy McVeigh in the context of domestic terrorism. After 9/11, Oklahoma City was repeatedly invoked for one reason or another, as it was the most recent violent mass casualty event prior to the al Qaeda operation. Yesterday, a question struck me: did the Oklahoma City Bombing meet the technical definition of "terrorism"? The same question could be asked of the ongoing Anders Behring Breivik trial in Norway, or the Beltway Sniper case. All of these incidents were obviously horrific, unjustifiable outrages committed against scores of unarmed and innocent civilians, and by posing the question, my intent is not to detract from that outrage in any way. My question is more a matter of semantics, with limited relevance to discussions of security policy.

Most definitions of terrorism include the concept of influencing political decisions - essentially, violence is used against civilians or other non-combatants in order to cause widespread fear, which then influences the political process in favor of demands made by the terrorist. The influence on politics is a key element of the definition of "terrorism". In the case of the Oklahoma City Bombing, while McVeigh's motives for carrying out the attack were influenced by politics, he doesn't seem to have stated a desired outcome or made any policy demands. I've seen no evidence that McVeigh had any policy demands to accompany the horrific violence he had committed, and he stated that the bombing was an act of revenge for the events of the Waco Standoff several years earlier. The question, then, is whether "terrorism" is the right word to define the Oklahoma City Bombing; or would another, such as "mass murder", be more appropriate? The same could be said of Anders Behring Breivik, who distributed a manifesto shortly before carrying out his attack, but who doesn't appear to have had specific policy demands.

To a great degree, this question identifies a difference without a distinction: the methods we employ to stop al Qaeda from detonating car bombs are the same as the methods we employ to stop another Timothy McVeigh from detonating car bombs. Where the distinction could become important is in the discussion of policy objectives aimed at mitigating threats of terrorism. By associating the likes of al Qaeda, ETA, and the Real IRA with the likes of Timothy McVeigh or Anders Behring Breivik, security strategists and public officials tend to generalize methods for prevention and interdiction. I would make a comparison to heart disease and cancer: both are insidious diseases that can kill you; their causes, treatments, and preventative measures share some commonalities; but if a physician were to treat them as the same disease, said physician would likely do a poorer job of addressing both, whereas identifying key points of similarity and key differences allows for more effective mitigation of both. In the same way, it seems logical that a mass murderer like Timothy McVeigh not be summarily lumped in with a terrorist group like al Qaeda, so that the commonalities can be addressed while simultaneously focusing on the aspects which divide the two in order to more effectively prevent and mitigate attacks by both.

Ironic Music from IRIB

I recently discovered that Iran's strategic communications agency, Islamic Republic of Iran Broadcasting (IRIB), has finally started offering its programs as both streaming audio and as podcasts. It's noteworthy that it took Iran at least a decade to catch up to the BBC, which had mastered both streaming audio and podcasting nearly a decade ago. I downloaded the Thursday, 29 March 2012 "Voice of Justice" program and burned it to an audio CD. I used to regularly listen to the IRIB's "Voice of Justice" program via shortwave radio when I lived in Virginia, but that signal was difficult to tune in on the East Coast, and I have little hope that I'll be able to tune in now that I'm back on the West Coast.

While listening, I was surprised to recognize some of the buffer music from one of the news segments. I checked on YouTube and confirmed that, sure enough, IRIB was using Alan Silvestri's theme from the 1986 Chuck Norris film The Delta Force as buffer music for their propaganda broadcasts. For those who are unaware, the real Delta Force's first mission was Operation Eagle Claw, the failed attempt to rescue the Americans held in the Iran Hostage Crisis. Reality is truly stranger than fiction.

Social Media and Deployed Security

From Michael Yon: Insurgents Used Cell Phone Geotags to Destroy AH-64s in Iraq. You can read the Army's full press release here, and you can read the Army's excellent presentation on the security dangers of geotagging and social networking here, also hosted by Michael Yon.

Technology is a great thing, but every new development in social networking makes it all the more critical for users to approach its use with security in mind.

Welcome to the JTS Blog

Welcome to Joshua Tree Security's blog. We're currently in the process of developing our strategic plan and defining our business model. Over the course of the next few months, we'll be posting about topics such as:

future U.S. Navy force structure;

U.S. government processes and documents pertaining to strategic planning;

podcasts pertaining to security and other related topics; and

foreign language study.

Be sure to check in every few days, as we begin to discuss security topics of general interest, as well as items that may have a specific impact on you.