In the United States, niceness—our tendency to hear someone out, follow instructions, and extend the benefit of the doubt—makes it much easier to ensure government building security.
“From my experience,” explains Luke Bencie, managing director at Security Management International, “Americans are nice: if you give them a good reason why you’re holding them up in a security line, they understand and cooperate.”
“Americans want to make sure that security isn’t a show or fluff; they want to see that their inconvenience and time is really being put to good use. They get that, and they’ll go with that. You go to other parts of the world, even places that are much more dangerous than the United States, and you don’t see that.”
How Culture Short-Circuits Physical Security in Government Facilities
“In fact,” Bencie continues, based on his experience, “the people most in need of enhanced security—those in the Middle East or some Asian countries—are also the most likely to maintain the mindset ‘Oh, no no, I’m important; I don’t need to stand in this line, you don’t need to question my friend, you don’t need to see ID,’ and just push their way through a door.”
This “pseudo-class system”—where money and status often trump public regulations—creates a culture where security is impossible.
Bencie has spent decades working in international security. He spent years with the US State Department’s Foreign Emergency Response Team (FEST)—a US inter-agency emergency response team tasked with responding to terrorist attacks globally. Since then, he’s personally worked as a security consultant in more than 140 countries and is the author of several books, including Among Enemies: Counter-Espionage for the Business Traveler and The Clandestine Consultant: Kings, Sheiks, Warlords and Dictators.
“Cultural differences really are big determining factors in how you implement security. You can spend all this money on security, but, at the end of the day it does boil down to the diligence of a security guard or if someone can piggyback through a door without showing credentials. The human being is always the weakest link.”
We need to design our security measures around the “human factors” brought into play by all of the parties involved, from the senior-most official to the rookie custodian.
Two Faces of Government Security: Procrastination and Panic
Modern democracy is often defined by delicately balanced contradictions. Government security strategies (whether local or federal, in the United States or abroad) are no exception. On the one hand, most government offices change hands between political parties or appointees every two to four years. As a result, there’s a tendency to kick dramatic security policy shifts down the road. Many long-time civil servants joke that the guiding principle for most government officials is:
“It’s easier to do nothing and be promoted than do something and be held responsible.”
On the other hand, when there is a major security incident (such as a terrorist attack, active shooter event, or some other catastrophe) quick and decisive action is vital to reassuring the general public, worried constituents, and skittish stakeholders.
“This absolutely has negative security consequences,” says Bencie. These seem like opposing forces—infinite procrastination on the one hand and panicked over-reaction on the other. But they are really two sides of the same coin:
By kicking the can down the road, we’ve avoided even beginning to think about the threat. As a result, when we need to act quickly, we cannot do so thoughtfully.
“When there is a knee-jerk reaction, the solution is just to throw money at it. People want to show that they’re doing something, even if they don’t know what it is they’re actually doing. And the truth is, there are still no perfect technologies out there. There is no solution you can buy, no button you can pay to push, to fix security. You could spend an unlimited amount of cash and still never have perfect security. In order to be 100% secure, you’d have to spend trillions of dollars and we’d all have to be in prison.”
Properly Targeting Security in Government Facilities
As an example, Bencie considers airport security changes following the terror attacks of September 11, 2001.
“Look at airport security. The initial knee-jerk reaction [after 9/11] was all over the map, every little thing had to be done now.”
Where did that get us?
According to Bencie, “The damage from that day wasn’t just the attacks themselves, but the subsequent 16 years of incalculable disruption to American lives on top of the billions and billions of dollars spent for things that we still can’t say really act as deterrents,” let alone cost-effective countermeasures.
“It’s tough to say if our money has been well-spent. Even if it was, the fact remains that there’s always going to be a risk, there’s always going to be a threat, and a lot of times spending money is not going to be the answer. Who spends the most is not going to be safest at all times.”
A knee-jerk response is not, by definition, bad. Our reflexes save us from countless injuries every day. But a reflex is, by definition, unconsidered. We need to train our reflexive responses in advance if we want them to be productive. Instructors train new drivers to swerve onto the shoulder instead of oncoming traffic. We likewise need to train our “security reflexes” before an incident occurs.
If we invest a little time during the “procrastination” phase to thoughtfully assess our risks and vulnerabilities, then we will know where to start when there is finally some public appetite for quick action.
The CARVER Methodology for Assessing Government Security
A good assessment has to include both target analysis and vulnerability assessment. The target analysis is a threat assessment in which you put yourself in the minds of your adversary. What are their goals, capabilities, and values? Having grasped the fundamentals of what you are up against, the vulnerability analysis can then focus on what sorts of threats you are exposed to, given your understanding of the adversary.
For these sorts of assessments, Luke Bencie favors the CARVER Methodology (sometimes called the “CARVER Matrix”). CARVER is an acronym for:
- Criticality – What are the single points of failure?
- Accessibility – How easy is it to access critical assets?
- Recoverability – How hard will it be to recover from an adverse event involving these assets?
- Vulnerability – How open to attack is the asset (based on the adversary’s capabilities)?
- Effect – How great are the negative consequences resulting from an attack and your subsequent response?
- Recognizability – How likely is it that the adversary can recognize that the asset is critical?
By scoring it along these six criteria, we can assess anything using the CARVER Methodology—a building, a person, an information system, a business process, a product. SMI’s Director of Critical Infrastructure Protection, Leo Labaj, was one of the original designers of CARVER during his career with the CIA. Today he spearheads SMI’s CARVER division, performing assessments and running training courses. Bencie and Labaj even co-authored the definitive book on CARVER: The CARVER Target Analysis and Vulnerability Methodology: A Practical Guide for Evaluating Security Vulnerabilities.
The Importance of Offensive/Defensive Thinking in Security
Baked into CARVER’s DNA is the sort of back-and-forth offensive/defensive thinking that meaningful security assessment really demands. The CIA created CARVER in the 1970s, at the dawn of the age of modern terror.
“What I like about CARVER,” Bencie notes, “is that the CIA took the old CARVE offensive targeting method used by Air Force bombers [during WWII] and flipped their hats around to become more defensive.” By harnessing offensive thinking to serve defensive ends, you end up with security solutions that are “proactive instead of reactive.”
“We do train folks to do CARVER method analysis,” Luke Bencie explains. “But it’s relatively rare that an organization already has security people in place with good military, law enforcement, or intelligence training. That’s vital. A lot of our SMI associates who do this, they have a background in explosives, sabotage, special operations, and/or chem-bio. And all of our guys have collectively worked in at least 75 countries. They understand the realities of an explosive device, the mindset of a terrorist organization, the technical capabilities of foreign intelligence services—the realities of the sorts of threats we now face.”
The Downside of Being Nice
American cooperation, openness, and confidence are some of our greatest security assets. But Bencie is quick to warn about the downside. While our friendliness and openness continue to make the U.S. the world’s most popular destination for immigration, they can become liabilities.
“There’s been a big push in the last 5 to 10 years from hostile foreign intelligence services (FIS) to target and exploit Americans—especially in the private sector. Every American must recognize the FIS threat and how intelligence officers take advantage of the “niceness” of Americans. Frankly, it’s very easy to elicit information out of us, manipulate us, and we don’t know that it’s happening. Maybe it’s in our upbringings, where we are taught to be friendly to strangers and to reciprocate kindness. However, sometimes our greatest human assets can be taken advantage of. It’s a shame that this is the world we live in. But, you don’t have to look much farther than our daily headlines to see this is a real security concern.”
Bencie isn’t saying you should be rude—but he certainly wants you to be careful.