Home » Security » Resilience and WMD Threats

Resilience and WMD Threats

June 16, 2006


An article in yesterday’s Washington Post [“The End Is Near, But First, This Commercial,” by Libby Copeland], talked about a SciFi Channel-sponsored discussion about doomsday scenarios that attracted a large Washington, DC, audience including two congressmen. The article concludes: “There are a lot of really crummy ways we could all die, including nuclear annihilation or a flu pandemic. And then, of course, there’s the possibility that we’ll be attacked by aliens. Or that robots might become smarter than humans and put us in zoos.”


I was drawn to the article because today I’m speaking to the Weapons of Mass Destruction Anti-terrorism Task Force at the Department of State, which has also been tasked with looking at doomsday scenarios. One of the legitimate experts that attended the ScIFi Channel’s discussion was Joseph Cirincione of the Center for American Progress. He noted, “There are many, many experts who believe that if we just keep doing what we’re doing, a terrorist attack involving nuclear materials is inevitable over the next 10 years.” I loved what the article said about that discussion, “Nuclear terrorism is indeed scary, but it seemed strange to tackle the issue through a TV show that treats aliens as nearly equivalent to al-Qaeda.”


I was asked to speak at the State Department because of my expertise in resilience, not my expertise in weapons of mass destruction. They’ve asked me touch on vertical and horizontal scenarios and how one must think differently about them. They’ve also asked me to provide my thoughts about creating a resilient system in the face of the terrorist threat. Terrorists will continue to use asymmetrical attacks in an attempt to render impotent our technological advantage. The development of a resilient system ensures that our technological advantage remains relevant. That’s a big deal. A resilient system can thwart terrorist objectives or significantly mitigate the results of any attack.


Any analyst who has thought about defense against terrorism understands that the number of potential targets is almost infinite. Trying to protect them 24/7 is simply unaffordable and there is no one-size fits all method of defense. A varied defense-in-depth is required. I’m going to tell Task Force members that the best way to make the system resilient is to think regionally rather than nationally. By nurturing what I call Regional Resilience Ecosystems, you have a much better chance of getting cooperation. Regional groups can address common challenges (it’s not difficult for people to understand that the challenges facing New York City are different than those facing Topeka, Kansas).


Regional Resilient Ecosystems would form the heart of a new twenty-first civil defense system. Regional groups would be able to customize:


  • Methodologies they use
  • Processes they protect
  • Rule sets they establish
  • Measures & countermeasures they implement
  • Training & education they promote, and
  • Contingency plans they practice


The goal is to create a system that blends five areas: 1) Best Practices Methodology; 2) Resilient Technology Architecture; 3) Automated Rule Sets; 4) People Processes; and, 5) Integrated Political Leadership. My vision is that technology eventually becomes sophisticated enough that we can blend logic, cognition, and technology into a “singularity” that makes much of the system autonomous so that it can sense attacks, respond automatically, and change tactics as circumstances warrant — with or without human intervention. I’m still working on my “singularity” blog, but hope to have it ready soon. Let me explain what I think happens in each of the five areas mentioned above.


Part One: Deploy a Best Practices Methodology for Global Resilience

  • Identify Critical Assets and their enabling business processes and core functions for competitiveness and sustainability for regional ecosystems
  • Identify security, compliance and competitive rules (metrics and measurements)
  • Identify contingency and disaster plans
  • Identify and document tacit knowledge contained in key individuals
  • Determine data integration path for automated business processes and core functions
  • Identify and map data sources
  • Perform lean six-sigma, CMMI, and rational unified processes
  • Perform threat and vulnerability assessment on business processes and core functions and thus critical assets


Part Two: Create a Resilient Technology Architecture for regions

    • Utilize a Service-Oriented Architecture
    • Integrate structured and unstructured data and information
    • Create fusion center to integrate data from regional and other relevant sources
    • Automate core business processes and functions (to the extent possible) that will drive an automated response to WMD events and later create an autonomic response (“the singularity”)
    • Embed rules sets into automated business processes. Rules sets include:

1. Security
2. Compliance
3. Contingency, Continuity and Disaster Plans4.Performance metrics and measurements

  • Create Transparent Intelligent Interfaces for near-real-time monitoring of events, processes and compliance with rules sets


Part Three: Automate Rule Sets

  • Automate rule sets described previously into code (XML) and mathematical algorithms
  • Create electronic libraries of rules that can be dynamically updated in an event driven environment
  • Deploy automated rule sets as secure web services inside the Service-Oriented Architecture

1. Embed automated rule sets inside the business process and data layers of the SOA
2. Extend processes and rule sets across the ecosystem between different organizations on the grid

  • Create best practice for updating and redeploying automated rules and revised business processes in an event driven environment


Part Four: People Processes

  • Create training and educational facilities to cross train:

1. First Responders (fire, police, EMS, hospital workers)
2. Military and intelligence officials
3. State and Local Governments
4. Corporations and individuals

  • Perform change management and organizational dynamics
  • Run red team scenarios that simulate a WMD attack to test our responses both planned and dynamic
  • Preposition materiel and other supplies and resources for rapid deployment
  • Stand-up and manage regional “NOCs” that create the center of gravity for responding to WMD attacks.


Part Five: Integrated Political Leadership

  • Government was given a pass after 9/11 — but Hurricane Katrina was a setback to government credibility
  • There should be an “answer man” to whom the public can turn for straight answers (otherwise unfulfilled expectations will foster anger and possibly chaos) — the Guiliani Effect
  • Establish a system that ensures “One Clear Voice” is used for decision making (department rivalries must be subsumed for the greater good)
  • In case of actual WMD use, that voice should be presidential
  • Determine ahead of time the location of supporting cast (At president’s side? In a command center? At the scene?)
  • Create and deploy best practices and processes for responding to media inquiries and other public communications


This kind of customizable, flexible framework will allow people tasked with protecting, responding, regulating, and/or recovering critical infrastructure and assets to work together to make America more resilient.


Related Posts:

Okta Breach is Not Okay

When a headline reads “This Is Really, Really Bad,” you know there’s a problem. The world is becoming accustomed to database breaches, however, cybersecurity journalist

Read More »