Summary: The American mindset—that we were somehow impregnable and immune from events occurring elsewhere in the world—was altered irrevocably on September 11, 2001, and more recently with the Fort Hood shooting and the Boston Marathon bombing.
Although it is tempting to think only about large-scale attacks, a risk manager, whose position can be either formal or informal, should be alert to attacks from a variety of sources, and make every effort to mitigate their effect.
Following is an overview of the terrorism threat and suggestions to mitigate its potential destruction.
Topics covered:
Introduction
What is terrorism?
Terrorism in the recent past—a key to the future?
Identifying the risk
Protecting personnel
Protecting the building
Protecting computer systems
A final note
Introduction
The tragic event of September 11, 2001, brought the reality of terrorism to the United States in ways unthinkable before. The U.S. has believed it had the luxury of being both isolated and insulated from the terrorism that occurs on a regular basis in the rest of the world. Think of the Sarin gas attack in the Tokyo subway system in 1995 by the Aum Shinrikyo cult, the on-going suicide bomb attacks in Israel, or the bombings in England in 1992, 1993, 1996, and 2000. Until 9/11, it was easy to shrug off those events—they happened an ocean away to someone else.
Yet, terrorism has been very much with us domestically in the past thirty years and shows signs of increasing. A 2002-2005 report by the FBI notes that the current round of domestic terrorism had its roots in the war protests of the 1960s and early 70s. Left- and right-wing domestic terrorism continues today in the form of extreme political, environmental, and animal rights groups. Some are loosely organized, like those who disrupted the World Trade Organization meeting in Seattle in 1999; others are more structured, like the Puerto Rican Los Macheteros (a Puerto Rican independence group).
Without a clear-cut idea as to the scope of terrorism, those concerned with disaster mitigation may not realize potential threats and assume, without reason, that a low profile business does not present a target.
The following discussion refers to the threats posed by terrorism in the broadest sense of the word and looks at risk management techniques to implement in order to mitigate property destruction and death.
Webster's New Collegiate Dictionary (Tenth Edition) defines terrorism as “the systematic use of terror, esp. as a means of coercion.” Terror is defined as “violence (as bombing) committed by groups in order to intimidate a population or government into granting their demands.” The FBI, in the report previously noted, defines domestic terrorism as “the unlawful use, or threatened use, of force or violence by a group or individual based and operating entirely within the United States or its territories without foreign direction committed against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives.”
In the Terrorism Risk Insurance Act of 2002, an act of terrorism is defined as “i) a violent act that is dangerous to human life, property, or infrastructure; ii) to have resulted in damage within the United States, or damage to an air carrier or U.S. flagged vessel or a United States mission; and iii) to have been committed by an individual or individuals acting on behalf of any foreign person or foreign interest, as part of an effort to coerce the civilian population of the United States or to influence the policy or affect the conduct of the United States government through coercion.” The Act states that terrorism does not include an act in the course of a war as declared by Congress or an act resulting in losses that do not exceed $5,000,000.
While these are a good starting point, terrorism is also considered to be any unlawful or criminal act directed against persons or property in order to further a political or religious ideology. Thus, terrorism can encompass events from 9/11 to the British hacker Gary McKinnon, charged in 2002 with hacking into nearly one hundred governmental and private sector computers.
The Anti-Terrorism Act (ATA) states that an act of “international terrorism” includes activities that
(A) involve violent acts or acts dangerous to human life that are a violation of the criminal laws of the United States or of any State, or that would be a criminal violation if committed within the jurisdiction of the United States or of any State;
(B) appear to be intended—(i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping; and
(C) occur primarily outside the territorial jurisdiction of the United States or transcend national boundaries in terms of the means by which they are accomplished, the persons they appear intended to intimidate or coerce.
Gilmore v. Palestinian Interim Self–Government Authority, No. 1-853 (GK) 2014 WL 3719160 (D.D.C. July 28, 2014).
Terrorism in the Recent Past—A Key to the Future
The focus of terrorism has shifted in the past decades, as has our way of viewing it. Application of the term terrorist act to many events has been of recent vintage in the United States. For example, acts committed in the early 1970s, such as burning the ROTC building at Kent State and ransacking downtown Kent, were viewed as acts by anti-war protesters and not labeled terrorism, per se. After the Vietnam War ended, however, left-wing extremist groups continued action through the 1980s. Some attacks were carried out by Puerto Rican separatist groups; others by organizations such as the United Freedom Front, responsible for the 1983 bombing of the U.S. Capitol Building.
The 1990s saw the demise of the left-wing groups, but the right-wing groups began to emerge as a new terror threat. Some were characterized as white supremacist; others as anti-government. The 1995 bombing of the Murrah Federal Building in Oklahoma City was viewed by some as an anti-government protest in retaliation for a 1993 incident in Waco, Texas. There are other indications that the perpetrator, Timothy McVeigh, was influenced by the Christian Identity Movement, a group holding extreme anti-Semitic, anti-government, and racist views.
In the late 1990s two distinct types of terrorism emerged. The first was terrorism with religion as its base. Before Muslim terrorist groups gained notoriety, there were bombings carried out by the Provisional Irish Republican Army (Catholic) against British interests both in Northern Ireland and England. Retaliation by the Ulster Defense League (Protestant) became common. There have been several IRA attacks: bombs in London (1992, 1993, 1996, and 2000) and one in Manchester in 1996. There have also been rocket launcher attacks on the MI6 Headquarters and on Heathrow Airport. These bombings had property damage as their focus, and unlike other terrorist attacks, a telephoned warning often preceded the bomb's detonation. (In the Manchester bombing, warning was given at 9:41 A.M.; the bomb exploded at 11:20 A.M. However, in the other attacks noted, many persons died.)
The second type of terrorist activity is that carried out by extremist environmental or animal rights groups, notably the Earth Liberation Front (ELF) and the Animal Liberation Movement (ALF). See generally U.S. v. Waters, No. CR05-5828 FDB, 2010 WL 148679 (W.D. Wash. Jan. 14, 2010), U.S. v. Christianson, 586 F.3d 532 (7th Cir. 2009), U.S. v. Viehl, No. 2:09-CR-119, 2010 WL 148398 (D.Utah Jan. 12, 2010), and U.S. v. Fullmer, 584 F.3d 132 (3d Cir. 2009).
Both of these groups are international in scope and violent in nature. These groups often act together. In June 1998, two U.S. Department of Agriculture buildings in Olympia, Washington, were set afire, resulting in lost research and destruction of the buildings. Both groups claimed responsibility. Both groups were suspected in connection with the firebombing of a GAP store in Seattle in November 1999.
In 1999, ALF was responsible for several destructive acts, among them damage to a Eugene, Oregon, meat packing plant ($500,000 damage) and to a building housing a research lab at the University of Minnesota, St. Paul ($2 million damage). A visit to the group's website shows hooded individuals as well as instructions on making incendiary devices.
ELF's destruction ranges from a 1998 fire in Vail, Colorado ($12 million), to several incidents of burning down homes under construction in Long Island, New York in 2000. ELF also claims credit for vandalizing two new buildings, one of them a bank, in Louisville, Kentucky, because of urban sprawl and proclaimed, “This was the first, be it minor, direct action….more actions are planned in the future.” ELF specifically targets the biotech industry and any business connected with it by extension.
The cases convicting members of the ELF and ALF did not discuss terrorism although their actions were similar to other acts of terrorism. Rather, they were convicted of crimes like arson and vandalism.
All this is by way of demonstrating that a business may consider itself safe from acts of terrorism, only to find that it is a target either directly or indirectly. An attack against one business can affect other businesses. It is not only the multi-national corporation that poses a threat in the eyes of many terrorist organizations. The goal of the terrorist is to cause sufficient fear to require a change in action even though the action prevented is legal and profitable.
The first thing to determine is whether the business presents any type of target. It should be clear from the examples previously given that nearly every kind of endeavor can be on someone's “hit list.” The risk manager should get a clear picture of the business, including type of business, building(s), products manufactured, supply sources, customer base, shipping arrangements, and personnel. Then decide what form a terrorist activity is likely to take. For example, any lab involved in animal experimentation is likely to be a vandalism target. In the case of a biotech research organization or planned suburban sprawl, firebombing resulting in destruction of the property may be more likely. Does the organization do business with a politically sensitive country? Guilt by association with a resultant attack might occur.
The risk manager should also consider a threat because of the organization's personnel. In the case of the organization's executives, consider any outside boards of directors they may sit on. Will the organization be viewed as a target by association? Or, could the organization be a target because key personnel are outspoken on any one of a number of current issues or events? Is the organization one that exemplifies the philosophy that is the basis of the U.S. government? It could be a key target of terrorist activities as was the World Trade Center.
The risk manager should have a clear picture of any specific exposures facing executives, or, indeed, other employees. Kidnapping has become not only a means for personal gain, but is also used to finance terrorist activities or to make a political statement. Statistics involving kidnap and ransom are not exact since many corporations and governments do not often release details. In the Western Hemisphere, countries of greatest risk are currently Columbia and Venezuela. In the Eastern Hemisphere, they are the former USSR countries (with the breakdown of the former USSR, the Russian Mafia has become particularly active), Nigeria, Ivory Coast, Zimbabwe, Indonesia, Iraq, Qatar, Yemen, Lebanon, Afghanistan, Pakistan, Kuwait, the Philippines, and too many locations to list. Countries dangerous for other reasons include India and Israel because of religious animosity from extremist followers of other religions.
Any American traveling abroad should exercise caution, but particularly those working for a high-profile company or a target company. Even Starbucks came under fire in 2002 for not buying enough “free trade coffee” in Mexico.
Someone in the organization should be responsible for knowing at all times where key personnel are and regularly monitor travel plans including countries visited. For example, it is much easier to enter Israel from Lebanon than Lebanon from Israel. If a businessman is traveling, the organization should know what flights are being taken and where the person is. If employees make their own flight reservations, someone in the organization should still be informed. One of the issues brought to light in 9/11 disaster was that no one knew who was in the office and who was on the road. Real-time back-up of information as to who is in the office would be ideal, though probably impractical.
Personnel who travel abroad should observe common sense precautions, such as the following:
· Dress casually.
· Do not wear expensive watches or other jewelry.
· Use direct flights on regularly scheduled airlines if at all possible.
· Do not linger in the terminal.
· Remember the shooting at Los Angeles International Airport and note that ticketing areas are not secure.
· Book flights and hotel reservations in the name of the individual, not the corporation.
· Avoid corporate luggage tags or other corporate insignia.
· When possible, be met at a foreign airport by colleagues.
·Avoid taxis other than those arranged by the hotel. (This depends upon the particular country.)
· Avoid predictable patterns.
· Do not always use the same rental car agency.
· Do not take the same route to a meeting each day.
· Do not use the same cab driver each day.
· Remember that passports must often be surrendered when checking into a hotel.
· Take note that a traveler checking into a hotel certain countries following a stop certain other countries may be viewed suspiciously.
· Never advertise or comment on the fact that your corporation has purchased kidnap and ransom insurance.
Kidnap and ransom insurance is available. (Kemper, Chubb, Lloyd's Underwriters, and Royal & SunAlliance are among the carriers offering coverage.) There is a new growth industry of security firms offering twenty-four hour hotlines for traveling executives. Some of these firms are staffed by ex-military, others have regular switchboard operators who direct calls to the appropriate specialist. Many of the firms regularly send emails alerting clients to potential danger spots and maintain data banks containing escape routes. Consider utilizing their services.
Disputes can arise over kidnap and ransom coverage. In Hargrove v. Underwriters at Lloyd's, London, 937 F.Supp. 595 (S.D. Tex. Galveston Div. 1996), the court was deprived of the right to compel coverage under a ransom and kidnap coverage where the act of state doctrine is a “judge-made prudential rule that prevents United States courts from sitting in judgment on the official acts of foreign sovereigns.” (citing to Gregory H. Fox, Reexamining the Act of State Doctrine: An Integrated Conflicts Analysis, 33 Harv.Int'l L.J. 521, 521 (1992)). The United States Supreme Court described the doctrine as follows:
Every sovereign state is bound to respect the independence of every other sovereign state, and the courts of one country will not sit in judgment on the acts of the government of another, done within its own territory. Redress of grievances by reason of such acts must be obtained through the means open to be availed of by sovereign powers as between themselves.
Underhill v. Hernandez, 168 U.S. 250 (1897).
The safety of employees other than those traveling should also be taken into account. Some organizations are considering background checks. This is a corporate decision based on what the business is willing to tolerate. For example, a business hiring laborers might overlook a driving record, but a school bus operator cannot.
Many corporations now utilize photo IDs that an employee must always wear in plain sight. For smaller organizations, this is probably neither feasible nor necessary; however, some means of controlling access to a premises should be considered, whether it is a magnetic key card or an alert receptionist. In any event, unescorted visitors should not be allowed to wander at will throughout the building. Visitors can be given an identification tag so that employees will be aware if a visitor is not where he should be. Employees should be encouraged to report any visitor's suspicious behavior or any objects left where they should not be. A visitor shoving a package high up out of sight on a shelf is probably not doing so for a beneficial purpose.
Consider whether key executives can normally be found at the same places on a regular basis. For example, does the CEO drive a certain make of car and always drive onto the premises at the same time? It is prudent to vary this routine. This is particularly true if the executive lives in one of the countries previously mentioned or is involved in an industry that might be subject to a terrorist attack.
Draft an emergency evacuation plan for employees and follow up with a drill. Make sure the plan includes assistance for those employees who need help. The risk manager in consultation with management should designate persons who have sufficient knowledge and training to implement necessary procedures in event of an attack. These persons will take responsibility for safety procedures, such as closing fire doors, moving people away from the hazard (including deciding whether in event of a bomb detonation outside the building it is better to remain in a secure area inside or risk injury from falling glass and masonry outside), and switching off the ventilation system.
It is impossible to completely secure a building. The risk manager may have considered all possible scenarios with regard to his own building, while a bomb attack at the international conglomerate across the street may just as surely spell disaster. For this reason, emergency plans should include a scenario involving a nearby business.
If a new building is being built, consider first the site. Is it a street-front? Remember the Murrah Federal Building and consider that a set-back from the street may be preferable. Of course, this is not always practical, in which case the building's security should be achieved by means of other methods, such as enforced no parking in front.
Will the new building be a high-rise? Current building design considers extreme wind stress as well as the possibility of a plane's crashing into the building. The World Trade Center towers utilized tube construction; that is, there were closely spaced columns and beams in the outer walls to withstand wind, with an inner core of habitable space.
Fire is always a concern, even if not the result of a terrorist attack. Plans should be made for occupants' safety. Some buildings include specially designed interior rooms every so many floors built to withstand fire. But even something as simple as having exit signs on the floor rather than over doors where they may be obscured by heavy smoke can easily be incorporated.
The risk manager should review parking. If the building stands alone with parking around it, security cameras can be mounted to monitor the area. If there is parking under the building, consider access. If the parking is restricted to employees, then it should be accessible only to employees. This seems logical, but remember many businesses' security is limited to a sign stating “Employee Parking Only.” Take into account that the parking may not be restricted or there may be no control over the parking area, as in the case of a multitenant building or public parking, and plan accordingly. Remember that the first WTC bombing in 1993 occurred when an explosive-laden van detonated in the underground garage. It may be possible to get agreement that vehicles other than private passenger ones should be denied access.
Space planning is a consideration. The inside of buildings, away from exterior glass, is generally safest. Sensitive computer systems, executive offices, or places where large numbers of persons congregate should be located towards the interior rather than the exterior of the building. When possible, bomb-resistant glass should be incorporated. For those organizations targeted by firebombers, high impact glass should be considered. Fire bombers typically throw incendiary devices through windows; if unable to penetrate the building, they may turn their attention elsewhere.
Consider the following factors relating to access to the building:
· Is there a loading dock? How secure is it?
· Is parking secure?
· How many building entrances? What kind of locks are on doors? Are doors left unlocked during business hours?
· Is there a reception area? How easy is it for someone to walk into the business?
· Does someone verify authorization for outside workers who may need to enter the premises?
· Can someone gain access through a skylight or ventilation system?
· Should electronic monitoring or closed-circuit TV be considered?
These precautions are targeted at persons or vehicles either gaining access or proximity. But terrorists can carry out biological or chemical attacks without actually entering the building. Ventilation intake systems should be evaluated for accessibility. In the event of an emergency, can they be closed? Can areas of the building be sealed off?
How is mail received? Has the mail room staff been instructed in proper handling procedures? If a suspect package or letter is received, be able to trace the item back through the system so anyone handling the item can be identified. The following are some general mail handling tips:
· Be suspicious of any package that is unusually heavy given its size.
· Be alert to hand-written, misspelled, or poorly typed addresses, or packages or letters with no return address.
· Open packages with minimum movement, using a letter opener or box cutter.
· Keep hands away from nose and mouth while handling mail; wash hands when finished.
· Do not blow into envelopes to open them, shake or pour out contents.
For some valuable information on business response to terrorist threat, see publications from the United Kingdom Home Office. Great Britain, as noted earlier, has experienced attacks from the IRA as well as extremist animal rights groups, and the experience has taught valuable lessons.
Cyber terrorism is on the increase. Some cyber terrorism involves hacking into websites and vandalizing or defacing them. But on Monday, October 21, 2002, nine of the thirteen key Internet computers, or root servers (the ones that manage worldwide traffic), were shut down following a cyber-attack. Currently major banks and retail associations report they are victims of cyber-attacks and personal information of their customers have been compromised. Reports indicate governmental entities and foreign criminal organizations are involved in hacking into commercial and governmental computers on a daily basis.
The risk manager, therefore, in collaboration with the information technology department, should assess the organization's dependency on its computer system and recognize that the best security systems are effective only until the next attack.
Cybersecurity is the body of technologies, processes, and practices designed to protect networks, computers, programs, and data from attack, damage, or unauthorized access. In a computing context, the term security implies cybersecurity. According to a December 2010 analysis of U.S. spending plans, the federal government has allotted over $13 billion annually to cybersecurity over the next five years.
Ensuring cybersecurity requires coordinated efforts throughout an information system.
For more information visit the United States Department of Justice, Computer Crime & Intellectual Property Section and the Prosecuting Computer Crimes Manual.
A problem facing computer security is the rise of wireless networks, which leads to war drives. This is the name for office-scanning drive-bys in which persons use laptops, scanners, and antennas to try to intercept signals from the wireless networks used by corporations to link their computers to each other and the Internet. Of course, once the hackers have spotted the “free” network, they can use it for their own Web surfing, email, or possibly even to hack into the corporate network to access confidential business information.
The information technology department is the first defense and can likely provide information as to where the organization is vulnerable. The department's help should be an integral part of the overall terrorism management program. The IT department should also be responsible for regular back-up of the organization's data and should keep copies securely off site.
Business income exposure have not been examined in this discussion. There are indications that, following the WTC bombing of 1993, business interruption loss accounted for a third of the total loss. Although an organization can make an educated guess about the amount necessary for a loss at its own location, it is impossible to make any conclusions about loss of access. The 1992 Bishopsgate bomb in London left some 200 tons of glass in the street, so imagine the period of time necessary just to clean up the debris, let alone inspect buildings for structural damage. And, although a business may not have sustained a property damage loss, the loss of income because of lack of foot traffic may be substantial. For a small business, this could prove devastating, and should be considered.
In addition to the sources given throughout this discussion, see Business at Risk, by Kevin Quinley, CPCU, ARM, and Donald L. Schmidt, ARM (The National Underwriter Company, Cincinnati, OH 2002), for much useful information. The Commercial Property Coverage Guide, 5th Edition, by. Donald S. Malecki (The National Underwriter Company, 2013) is helpful in assessing the insured exposure.