What Achilles can Teach us About Threat Management

By: Dell Spry

There are numerous similar, seemingly inconsequential, soft targets scattered across our country unprotected by a single surveillance camera or even a strand of barbed wire. Is this issue getting the attention it deserves? Just whose responsibility is it to make that determination? Have you included threat planning in your risk management strategy?

In a December 26, 2020 article in the Nashville Tennessean, Yihyun Jeong and Natalie Allison reported, “State and local officials and experts say the fact that a multistate region could be brought to its knees by a single bombing is a ‘wake-up call,’ exposing vulnerabilities many didn’t know existed and predicting it would lead to intense conversations about the future.” 

The bombing and the damage to the AT&T office was a “single-point of failure,” according to Douglas Schmidt, the Cornelius Vanderbilt professor of computer science at Vanderbilt University. 

“That’s the Achilles’ heel. The weak link,” he said. “When one thing goes wrong and everything comes crashing down.” Further in the article, Schmidt is again quoted as saying, “Having a critical facility in a major metropolitan area next to a street without any other protections than a thick wall is crazy. The silver lining here is nobody was killed,” he said. “But this is a wake up call that, if people treat it right, will help with future situations and be better prepared.” 

All of this just from one person in an RV. How great could the damage be if it were planned and carried out on a much grander scale, but going after smaller, much softer targets? 

Let’s dive in. 

What are Soft Targets? 

According to the Cybersecurity and Infrastructure Security Agency (CISA), Soft Targets and Crowded Places (ST-CPs), such as sports venues, shopping venues, schools, and transportation systems, are locations that are easily accessible to large numbers of people and that have limited security or protective measures in place making them vulnerable to attack. DHS has been working for many years to address ST-CP security and preparedness, with recent shifts in the threat landscape calling for renewed departmental focus on leveraging and maximizing its ST-CP security authorities, capabilities, and resources in an integrated and coordinated manner.

What does copper theft have to do with critical infrastructure?

What harm could come about from a person, or a group of people, or a hostile government repeatedly, and successfully attacking such a target? Remember years ago when the theft of copper was out of control to the point of being epidemic? While researching this paper I came across an article dated December 5, 2008 by Homeland Security Newswire titled “FBI: Growing copper theft threatens U.S. critical infrastructure”. The 2008 DHS report stated “the FBI says that, individually, isolated instances of copper theft cause big enough headaches of their own, but taken together, they present a significant problem for the United States — a threat to public safety and to U.S. critical infrastructure.”

Stealing copper is not merely a criminal activity. According to the FBI, it has serious homeland security implications. Here are three examples:

• Last April, when tornadoes were threatening Jackson, Mississippi, many residents were not alerted to the severe weather because five tornado warning sirens did not work. The reason: the sirens’ copper wiring was stolen.
• A month earlier in Polk County, Florida, nearly 4,000 residents were left without power after thieves stripped copper wire from a transformer at an electric company facility. Estimated losses: $500,000, to say nothing about the homeowner hassles.
• Late last year, vandals removed 300 feet of copper wire from a Federal Aviation Administration (FAA) tower in Ohio, threatening to interrupt communications between in-flight aircraft and air traffic controllers.

According to the FBI, “the demand for copper from developing nations such as China and India is creating a robust international copper trade,” and as the global supply of copper continues to tighten, “the market for illicit copper will likely increase.” From 2001 until 2008, the price of the metal increased by over 500 percent.

The thieves may act individually or as part of organized groups and are interested in the quick cash they get from selling copper to scrap metal dealers. Their targets include electrical substations, railroads, security and emergency services, and other sensitive sites. Already, copper thefts have been responsible for shutting down railway systems and even 9-1-1 emergency systems.

Note the FBI’s statement that the size of the totality of these thefts and the fact much of the stolen copper was going overseas was having an adverse impact on our nation’s critical infrastructure.

What is critical infrastructure?

According to a DHS Office of Counterterrorism Critical Infrastructure Protection Unit document published January 2, 2021, ”The U.S. Department of Homeland Security (DHS) has identified 16 Critical Infrastructure sectors that compose the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

The 16 Critical Infrastructure sectors are:

1. Chemical
2. Commercial Facilities
3. Communications
4. Critical Manufacturing
5. Dams
6. Defense Industrial Base
7. Emergency Services
8. Energy
9. Financial Services
10. Food and Agriculture
11. Government Facilities
12. Healthcare and Public Health
13. Information Technology
14. Nuclear Reactors, Materials, and Waste
15. Transportation Systems
16. Water and Wastewater Systems

The list is broad and deliberately so. A major point of the above list is to show we are all stakeholders in this issue. When there is an issue affecting the critical infrastructure and our nation’s security, it is our problem. We all own it.

In a hstoday.us article by Frank Cilluffo and Sharon Cardash dated March 14, 2020 the authors note – “The threat to U.S. critical infrastructure posed by foreign state-owned enterprises is real and America is not doing enough to inoculate itself against it and effectively manage the risk to our economic and national security.”  The issue has come up repeatedly in connection with major U.S. rail and transit systems such as Boston, Chicago, Los Angeles, and Philadelphia. In these cases and others, China Railway Rolling Stock Corporation (CRRC) is building and supplying rail cars after outbidding the competition. 

Why does this matter? Because the potential for continuous and direct (adversary) access to U.S. railcars and transit systems is real. This means that it could shut the trains down, disrupt operation, knock-on effects could hit other critical U.S. infrastructure sectors, and major U.S. cities could experience significant economic effects.

The problem is that non-market economies like China’s skew the playing field: U.S. private enterprise has the deck stacked against it when up against bids that benefit from substantial state support. From the standpoint of resource-strapped U.S. local governments, the temptation to go with the lowest price is clear, but you get what you pay for — and in this context, the price of giving in to temptation is far too high.

Consider this: a Chinese foothold in the U.S. supply chain gives rise to a host of concerning possibilities—from computer network exploitation (spying), to intelligence preparation of the battlefield (mapping of critical U.S. infrastructure), to computer network attack. The foreign company need not even be a willing accomplice since Chinese laws oblige help and afford the state a pipeline into U.S. infrastructure.

National security and economic security are two sides of the same coin.

If you think this is just about rail cars, think again. The transportation sector is like a hub that serves many spokes. Among them is the U.S. military, which relies to a certain extent upon civilian entities and functions in order to project U.S. power around the globe and execute defense operations. To compromise the transportation sector is to compromise mission assurance potentially. This is just one example of how national security and economic security are two sides of the same coin.

Another interesting illustration of this principle: 5G telecommunications technology from Chinese companies Huawei and ZTE. Here again, foreign state-owned enterprises and the advanced technologies they offer at relatively low cost pose a dilemma for the owners and operators of critical U.S. infrastructure. 5G is the foundation upon which next-generation networks worldwide will rest. Every sector and function that depends on telecommunications will in turn be affected by (who builds and contributes to) these networks. The stakes are high. Does it make sense to build 5G on quicksand? The same holds true for the Internet of Things.

Conclusion

The threats are coming from every direction and do not involve just bombs and terrorists. The economic attacks are endless. The cyber attacks are endless. If you can envision a way to do harm to a company, someone with the intent and ability can envision it too. 

What do we do?

We plan. We plan for what could be in order to mitigate the chance that it comes to be. We plan to keep bad events from happening and we plan on how to respond in case they do. To that end, having a dedicated partner, like Chesley Brown, to help determine vulnerabilities (soft targets) within your company while balancing risk costs with target benefits. While it may be impossible to eliminate all corporate risk, we can work with you to identify and remove unnecessary risks.

As your partner and team member, Chesley Brown can help you identify the threat landscape (who is my adversary, how do they operate, and how do I operate in that environment), threat to the target environment (what are the current threats to my business), level of threat capability (how capable is my adversary of carrying out the threat to my business) and real-world examples of threats.

Contact us to discuss updating and improving your existing threat assessments, running ”red team’ exercises to test the effectiveness of your security program and corporate infrastructure, planning and executing “table top” exercises, or any security requests.