The challenge is coping with fear





By Mark Huband

Financial Times, 24 June 2005

When a UN conference last month failed to reach agreement on how to strengthen the Nuclear Non-proliferation Treaty (NPT), the potential implications were felt most vividly in the Balkans.

As the delegates drifted away from the UN meeting in New York having achieved “very little”, according to the president of the committee reviewing the treaty, UN secretary-general Kofi Annan chastised them for having “missed a vital opportunity to strengthen our collective security against the many nuclear threats to which all states and all peoples are vulnerable”.

But as the failure became evident, 300 parliamentarians from Nato countries were meanwhile meeting in Ljubljana, the Slovenian capital. There they were given a simulated taste of what failure to prevent nuclear material or weapons falling into the hands of terrorists might actually mean.

Dubbed “Black Dawn,” the table top demonstration was the second Nato has held that simulated a nuclear attack on its headquarters in Brussels.

The exercise involved the simulated explosion of a weapon containing highly enriched uranium that had been stolen from a civilian nuclear reactor.

Globally, the ripples from the simulated attack were felt through the impact on financial markets and a slowing of commerce. The fallout – nuclear and other – on the global financial infrastructure from such an attack is now seen by security officials as central to the strategic planning necessary to address threats to business continuity.

Security officials in western countries, where the threat is seen as most severe, are in no doubt that the combination of the ongoing insecurity of nuclear material and al-Qaeda’s determination to perpetrate mass casualty attacks point to an ongoing threat.

“Weapons of mass destruction are the highest priority for all of us. But I still think that they [al-Qaeda] have not yet been able to acquire and operationalise this type of weapon. But evidently it is likely to happen,” says Cofer Black, former head of the CIA’s Counter-Terrorism Center.

But even as security services worldwide have notched up a growing number of successes by arresting potential terrorists and thwarting plots, there has been growing divergence in perceptions of the threat.

A recent opinion poll in the UK questioned 1,011 people and revealed that only 9 per cent considered terrorism to be the leading security concern. This was down from 26 per cent last autumn. Twenty-two per cent had concerns about health and 14 per cent about crime.

Eleni Nicholas, managing director of ACNielsen UK Ireland which conducted the poll, says: “There have been some well publicised thwartings of terrorist plots in the UK over the past few years. No threat has ever been more than that and I think the public have seen this and are feeling much more relaxed.”

Two weeks ago UK businesses were told by the police that the threat to them had been reduced from “severe general” to “substantial”. But the challenge companies face is that of distinguishing the general threat from their own specific vulnerabilities.

“Regarding local threats from landowners or local communities: these are threats over which companies have much greater control,” says Jake Stratton, director of strategy at Control Risks, the security advisory group.

“Regarding threats from animal rights groups, for example: it all comes down to the way companies defend themselves, their buildings and their reputations. If you take a company like Shell, which operates in countries where there is a terrorist threat: what brought it to its knees last year was the exposure of poor internal controls that led to the mis-stating of its reserves,” he says.

Internal procedures, either in accounting, the appointment of personnel or the security of buildings, had risen up the corporate agenda long before terrorism became the concern it is today. The vulnerabilities likely to be exploited by terrorists are seen by security specialists as long established, with the terrorist threat having made it simply more urgent that they be addressed.

“In the post-9/11 period, people were terribly concerned. I think that now there is not diminishing concern, but a more realistic concern about what the level of threat is,” says David Claridge, managing director of Janusian Security Risk Management.

“The reality is that for the majority of businesses outside urban conurbations the probability of a catastrophic terrorist attack is very low. Terrorism is a driver. But I think that is probably tailing off, as people realise that there are other risks. Clearly to have a terrorism oriented business continuity plan has benefits vis a vis other risks,” Mr Claridge says.

But in tailoring their security plans, companies have in the past been criticised for focusing too heavily on IT security as if the establishment of back-up systems will provide them with the ability to continue their operations in all circumstances.

However, as governments have the primary responsibility for security in the face of catastrophic threats, this focus on IT has now come to be seen as a correct strategy. The question now facing IT security chiefs is whether they are implementing adequate measures.

“Security awareness is probably the most significant single defence measure that any company can institute against both internal and external threats,” says Jeremy Ward, director of service development at Symantec, the software security company. He says that the significant threat to company computer systems comes from within and that “good personnel security is the best defence against internal IT-related threats”.

The pressure on companies to prevent damage from computer hackers and organised cyber-criminals is made all the more intense by the realisation that redress is barely likely to compensate for the damage they can cause.

“Cyber-criminals are no less cunning and resourceful than their ‘real world’ counterparts and are able to take full advantage of the different laws and jurisdictions in which web servers can be based,” wrote Peter Warren and Michael Streeter in Cyber Alert, a recent detailed study of the threat to computer systems.

“In this digital game of cat and mouse it is possible for the resourceful cyber-criminal to stay one step ahead of his or her pursuers,” they wrote.

Company security officers are under pressure to develop business continuity strategies that combine measures intended to secure companies from perennial internal and external threats like that from computer hackers but which can also heighten resilience in the face of the current terrorist threat.

“In most countries for most companies terrorism is an indirect threat, and they need to concentrate on the day to day threats, over which they do have some control by implementing security measures,” says Mr Stratton.

“It’s governments who have the responsibility for preventing terrorist attacks happening. If these measures fail, then companies can minimise the damage,” he says.

But the division of labour between government and business has been blurred. In part this is because significant differences persist between European countries and between the EU and the US over how best both to confront the immediate terrorist threat and dilute the process of new radicalisation which is becoming a big concern for counter-terrorism strategists.

These differences of strategy have hampered police investigations, restricted the sharing of evidence, and had the effect of generally creating greater alarm in the US than in the EU due to different methods of maintaining public alert.

Security strategists say these differences have complicated the ability of companies to assess the specific risks to their own business and to distinguish between the threat from terrorism and threats from other sources.

The transatlantic differences have been starkly revealed.

Last August the UK police were forced to launch a series of arrests when the US authorities announced that a terrorist cell had carried out surveillance of buildings in New York and Washington. The publicity incensed the UK police, who were forced to arrest several suspects before substantial evidence had been gathered against them. In a second incident the US refused to provide evidence to a German court, which led to the collapse of a terrorist trial this year.

Greater transatlantic co-operation between police and judicial authorities is now seen by counter-terrorism experts as essential to both streamlining operations and producing more accurate and specific threat assessments.

“We have pretty good consensus on what the intention of the terrorists is, but we have no real clue about their capability. US-European co-operation on the intent versus capability debate is absolutely vital,” says Roger Cressey, former director of transnational threats at the US National Security Council.

Europe’s counter-terrorism strategists are heavily focused on the remains of the al-Qaeda network, the emerging groups of radicals who have been inspired by al-Qaeda but are not connected to the pre-9/11 network, and the impact of the Iraq conflict on the global terrorist picture.

“Currently the flow [of radicals] is going into Iraq. But what happens when the instability there ends?” says Baltazar Garzon, Spain’s terrorism prosecutor. “The flow will change and the actions will change. At that point, Europe becomes a [primary] target, even though it is clearly a target already. In Europe we have the capacity to counter this situation effectively. But we are at a moment in time when what is essential is for us to co-ordinate better the activities of European security services. If we do not, the situation will get much worse,” Mr Garzon says.


© Copyright The Financial Times Ltd 2008.