Saturday, June 30, 2012

Maritime Risk Management

One of the growing markets in international risk management is maritime private security. A recent book on the topic is Maritime Private Security: Market responses to piracy, terrorism and waterborne security risks in the 21st century, edited by Claude Berube and Patrick Cullen. Berube and Cullen lectured on the topic at the Heritage Foundation in March. You can watch a video of the event or download the podcast here.

Although the rise of piracy in the vicinity of Somalia garners most of the current news attention, risk management professionals monitor security threats in a variety of other key areas. These include maritime bottlenecks such as the Straits of Gibraltar, Hormuz, and Malacca, and the Panama and Suez Canals. A July 2010 attack on a Japanese tanker in the Strait of Hormuz may have been linked to al Qaeda, and investigative journalist Richard Miniter has tied al Qaeda to several disrupted plots to attack shipping in the Strait of Malacca. Berube and Cullen's presentation goes into further detail on implications and strategies for maritime risk management efforts for the foreseeable future.

Thursday, June 21, 2012

Using Comedy to Illustrate OPSEC

A few years ago, I attended the National Operational Security Conference. In one of the lectures I attended, the speaker played a clip from an old episode of Saturday Night Live that aired during the Persian Gulf War. You can read the transcript of that sketch here, and anyone who uses Netflix can view it online (Saturday Night Live: The 1990's, Season 16: Ep. 12 (Kevin Bacon)). It's a good illustration of the challenges faced by anyone whose job is to disseminate information to the public while protecting information that could be potentially damaging.

The military term for protecting critical information from exploitation by an enemy is Operational or Operations Security, or "OPSEC". The military goes to great lengths to train personnel of all stripes to protect information that could be useful to adversaries, and a legion of Public Affairs Officers are specially trained to provide relevant information to the public without divulging secrets that could jeopardize personnel or operations. In the corporate world, this is accomplished by strategic communications specialists. Although the military stakes are often higher, companies take the control of information very seriously. Improper disclosure of sensitive data about a corporation or other organization could encourage corporate espionage, or damage the public's perception. The same is true of the military, with the added risk of endangering the lives of personnel and the effectiveness of missions vital to national security.

The military uses the Five Step OPSEC Process as a tool to help protect sensitive information. The process is as follows:

1) Identify critical information
2) Threat analysis
3) Vulnerability analysis
4) Risk assessment
5) Implement OPSEC Measures

The best OPSEC principle I've ever heard is called "The New York Times Rule", or the "Karachi Corollary". When determining whether information should be protected or released, ask yourself: "Would I want this information to be published on the front page of the New York Times? What about on the screen in an Internet cafe in Karachi, Pakistan?" More often than not, the answer is "no".

As with any functional area of security, the best advice is to err on the side of caution. If you think that a piece of information could be useful to an adversary, it probably could be. Organizations with security concerns should do their best to promote a culture of awareness and caution.