IQinVision

I recently blogged about legislation headed to the Oklahoma House that would allow students and faculty to carry concealed weapons on university and college campuses. Not long before that, I wrote about similar legislation coming out of Texas.

Apparently, there are more than a dozen states considering legislation that would allow professors and students to bring loaded guns into their classrooms, according to this article from CNN.

The article is written by Amitai Etzioni, a sociologist and professor of international relations at George Washington University and the author of several books, including "Security First" and "New Common Ground."

He said there is an inherent problem with this kind of approach to guns:
The drafters of these bills seem to have an image of peaceful students, bent over their books, suddenly attacked by gunslingers who materialize from nowhere. They ignore that students can and do shoot people on campus.

He argues that there aren't (and probably won't ever be) measures to ensure that mentally unstable people don't have access to guns:

And if it were ever created, I expect the National Rifle Association and various state legislatures would strenuously oppose submitting millions of students and professors, or anyone else, to such a test before they could purchase a firearm.

And there's also the issue of allowing students, specifically, to carry weapons. I may be generalizing here, but I'm pretty sure college students tend to drink more than other age groups, and, it's my fair opinion that alcohol and guns just don't mix (although don't get me wrong, I love beer camp, I mean, deer camp just as much as the next New Englander). So, I think he has a good point, the student body is a typically volatile group of people:

Worse, long before anyone storms into a classroom, some students will use their guns -- when their anger boils over, when they have one drink too many or their girlfriend makes out with someone else -- to shoot someone.

His argument is to make guns less accessible, not more. After all, he writes: "Nobody can kill 16 people from a clock tower with a knife."

What do you think? Would allowing students to carry guns make campuses more or less safe? What about campus security? Would it be more difficult to secure a campus knowing students may be carrying weapons?

Hard to believe the 10-year anniversary of the 9/11 tragedy is coming up this fall. When I met with Louis Barani, security director of the World Trade Center, during ISC Solutions this year he talked about some of the events planned to recognize the anniversary in addition to all the work being done to secure the new buildings and memorial site. If you missed that story, you should check it out here. It was an awesome tour.

Anyway, this story in the New York Times caught my eye today. A man has designed a personal escape harness, called the Rescue Reel, which was inspired by the victims who jumped from the World Trade Center. To escape buildings, people strap themselves into the harness, lock the reel to a stationary point like a door frame and gently propel themselves to the ground, according to the article. The Rescue Reel retails for about $2,000.

Do you think this is something corporations would consider adding to their safety devices? Does the procurement of equipment like this fall under the purview of the security department?

Sometimes people's stupidity astounds me. While I try not to add to the sensational nature of much of the mainstream media's focus on the Transportation Security Administration, I couldn't let this one slip by. Here's a story from the New York Post about how a TSA supervisor who is accused of helping a man bypass airport security measures in order to smuggle cash and 200 POUNDS (!) of marijuana out of the state:

Behavior detection officer Minnetta Walker, 43 — whose position gave her free reign at the airport — used her status to help drug boss Derek Frank’s gang avoid full body scanners, luggae x-ray machines and secondary screening at the gates, authorities said.

First of all, I can't even imagine what 200 pounds of pot must look like. That's got to be at least several suitcases worth, right? I just don't understand how people think they could get away with such things, inside help or not. According to the article, Walker had been involved in such illegal activity since February 2010 and was only caught after she was wiretapped. But once again, more bad publicity for the TSA. It's pretty clear this agency will never be the recipients of good press, but I'm pretty sure John Pistole knew that going in.

One of the hottest topics at this year's TechSec Solutions conference was the issue of cybersecurity. While it's traditionally the role of IT security to protect a company against cyber attacks, security practitioners have a role to play as well. During his keynote address, Gareth Webley had an interesting point:

"Physical security devices on the network must have the right information security controls. I've found that physical security devices that are IP enabled without the right information security measures are more dangerous than not putting anything on the network."

(You can read more details about his keynote address here.)

In other words, he thinks it's more risky for an organization to put a non-secure video camera on the network than not to have that camera in place at all.

During TechSec, I talked to several attendees about the challenges of educating employees about cybersecurity. One of them told me a story about how one of their executives divulged private information, including login and password information that compromised the company's network. Talk about an IT security manager's nightmare.

Well, apparently even high-ranking government employees are equally susceptible. I just read this CNN story about how two Canadian government agencies were hacked in January due in part to employee negligence:

The hackers took over computers in the executive offices of the Finance Department and the Treasury Board, unnamed sources told the network. They then sent fake e-mails to government computer techs and other employees to get them to divulge sensitive passwords in a technique known as executive spear-phishing.

Apparently, Canadian officials disabled the two departments' internet connections for a time to halt any loss of data, but that's what I would tell the public and media, too. The article suggests China was involved, which is no big surprise.

How worried are you about cybersecurity? Do you think your organization is doing enough to educate employees about security protocol? What's the role of physical security in this or is it just the IT department's problem?

On a recent business trip I sat next to a gentleman who told me he was on a government watchlist. Trying not to look nervous and in my head debating whether or not I should ask for a different seat, I asked him how he knew this. He said every time he went through security he was pulled aside and subjected to secondary screening. The man was obviously a seasoned business traveler and he said after the fourth or fifth time he started telling TSA officers that he was on the list. They immediately pulled him aside, screened him, and sent him on his way. "It's great," he told me. He hasn't waited in a security line since.

Well, few of us would have the same sentiment about being included on a government watchlist, especially the no-fly list. I just read an article on NPR that the FBI is saying the list isn't as long as people think:

"About 10,000," said Timothy Healy, director of the FBI's Terrorist Screening Center, which maintains the list. "And [the number of] U.S. citizens on the no-fly list is even much smaller, between 500 and 1,000."

But, the government won't say who is or is not on the list. Douglas Laird (also of SDN fame) told NPR that the system isn't perfect—and would-be terrorists can get around it.

"If that person is a professional, it's too easy to change an identity, so for that reason I wouldn't put a lot of faith in the system," Laird says.

I think having such a system has its place - there are certainly people we don't want on planes - but like every other system, there needs to be checks and balances. Intelligence gathering is probably the most challenging, and, also one of the most important tasks for federal agencies and it has to continue refining such systems to make sure it only hinders the bad guys. And, the government also has to expand training so personnel can spot suspicious behavior or activity and people who aren't on such watchlists are still identified and scrutinized.

As I continue to read reports coming in about the bombing at the Domodedovo airport in Moscow, I can't help but think that this should serve as a reminder to the public and aviation practitioners alike about what we're up against when it comes to securing the world's airports.

The latest news reports say 35 people have been killed and more than 100 injured from the blast that detonated in the international terminal at Moscow's busiest airport. Russian authorities are treating this as a terrorist attack, but no parties have yet taken responsibility for the attack.

Some are saying that this attack is evidence that Russia hasn't taken security seriously enough despite previous attacks:

Leonid Mlechin, an independent journalist who covers security issues, says the return of terrorism to Moscow shows that Russian security forces have failed to address the lessons of past terrorist attacks.

"This is a serious failure of special services," he says. "No one can carry out such acts alone. He needs to be trained, equipped, and supported by an organized group. Our intelligence services have clearly not been able to catch these groups."

While Russia has a long history of violence and unrest, those in aviation security in the U.S. and around the world must remain vigilant against such future attacks.

In recent months I've written quite a bit about museum security, or rather the apparent lack of security at many museums around the world. Remember this story about a $50 million Van Gogh painting being stolen from a museum in Egypt. And this wasn't some late-night, Mission-Impossible type heist, no, the thieves walked in during business hours, moved a couch underneath the painting and simply cut out the painting.

Today, I saw this article that 21 museum officials and employees (including the Deputy Culture Minister) are facing charges of negligence for not adequately supervising employees and not following up on their work:

The Administrative Prosecution also accused the defendants of failing to perform their duties in touring the floors securing the museum, an especially significant failure given their alleged knowledge that the surveillance cameras haven’t been working since 2006.

The museum had 43 cameras in place, but only seven were actually working. And budgets can't be blamed for this one:

The prosecution added that the museum’s maintenance company for security devices hadn’t performed any maintenance in 15 months, which effectively wasted the LE 100,000 designated to the museum for that very purpose.

The prosecution is also stating that the museum misused funds and hired more administrators whose job duties were redundant instead of hiring the necessary security personnel, further putting the security of the museum in jeopardy:

The number of security guards in the museum was reduced from 30 to nine, and that — on most days — that number was further reduced to only one guard on duty.

So, you don't have working cameras PLUS you don't have enough personnel to keep watch over millions of dollars worth of artwork? Um, yeah, I'd say there's some negligence here.

It was only in November that I wrote this story about Tom Ridge's comments regarding a bombing attempt in the D.C. Metro. Basically, Ridge said that no matter what measures are put in place to secure public transportation, the risk remains high. But, better some security than none, right? Recently the Metro announced it has begun conducting random inspections of carry-on items.

“This adds another layer of security to our system,” said MTPD Chief Michael A. Taborn, in the article. “The program will increase visible methods of protecting our passengers and employees, while minimizing inconvenience to riders."

Well, apparently the inconvenience has become too much. I just read this article in The Washington Post that the Metro Riders' Advisory Council voted overwhelming for a resolution that will ask the Metro board to suspend bag inspections and consult with the public about transit security policy. Some members of the council said that the inspections are unnecessary because there are no credible threats to the transit system. Um, well, no threats except that guy who said he wanted to blow it up, right?

But, apparently the inspections are only suppose to take a few minutes and are fairly non-intrusive:
Police will randomly select bags or packages to check for hazardous materials using ionization technology as well as K-9 units trained to detect explosive materials. Carry on items will generally not be opened and physically inspected unless the equipment indicates a need for further inspection.

I know the public probably finds the inspections annoying more than anything, but there's got to be something in place to deter the crazies. Let's work to find a middle ground and not just kill the inspections, people. It's for your own good.

Welcome to the new year. I took a week-long break from the working world, and I must say, it was wonderful. I actually unplugged myself for the most part, too, thanks to spotty cell phone coverage in northern Vermont and my parent's barely-better-than-dial-up satellite Internet. I highly recommend disconnecting, if even for a few days, it's very rejuvenating.

But now we're back and there's so much to catch up on. I'm getting excited for our upcoming conference, TechSec Solutions, which focuses on IP security technology. Our line up of speakers is looking great, covering everything from retail to critical infrastructure. For 2011 we're focusing largely on real-world situations and panels will be discussing ways that security folks have solved their biggest challenges by leveraging IP technology. The event is happening in Delray Beach, Fla., February 13-15th (can't beat Florida in February, now can you?).

In other news, things were somewhat quiet over the holidays (or compared to last year's Christmas Day bomber fiasco anyway). I've seen a few bizarre security stories come across my radar including this story about a man who accidentally butt-dialed his wife who thought he was being held hostage and called the police who then sent in the SWAT team. Oops.

Maybe you missed this story about a Yankee Stadium security guard who tried to get through airport security claiming he had "cooked rabbit" with him, but upon further investigation he actually had three large bricks of cocaine.

On a serious note, President Obama signed into law the Food Safety Modernization Act, which is the largest overhaul of U.S. food safety laws in more than 70 years. The $1.4 billion legislation makes sweeping improvements to the security and safety of our nation’s food supply and gives the U.S. Food and Drug Administration authority to order product recalls, and requires food manufacturers to keep more detailed food safety plans.

In other White House news, an e-mailed Christmas greeting purportedly from the White House actually contained dangerous malware aimed at extracting sensitive financial data and documents from government employees. Yikes. Wonder what the cybersecurity czar thinks about this?

All in all, the year is off to an interesting start. Here's to hoping 2011 is a hell of a lot better than 2010.

On Dec. 9, the U.S. Department of Education issued a report stating that Virginia Tech broke the law when it waited two hours to warn the campus that a gunman was on the loose, according to an article by the Associated Press.

The agency rejected the university's defense and confirmed that the school violated the Clery Act, which requires students and employees be notified of on-campus threats.

"Virginia Tech's failure to issue timely warnings about the serious and ongoing threat deprived its students and employees of vital, time-sensitive information and denied them the opportunity to take adequate steps to provide for their own safety," the report stated.

Now it's possible that the university could lose some or all of the $98 million in student financial aid it receives from the federal government, and could be fined up to $55,000 for the violations. It's unknown when any of these sanctions will occur.

A considerable part of the university's stance was around the definition of a "timely" warning. The university argued there was no definition of "timely" until two years after the shooting, when the DOE required schools to immediately notify people on campus upon confirmation of a dangerous situation or an immediate threat, according to the article.

"Today's ruling could add even more confusion as to what constitutes a 'timely warning' at a time when unambiguous guidance is needed," said Virginia Tech spokesman Larry Hincker. "It appears that timely warning is whatever the Department of Education decides after the fact."

Here are some of the other findings from the report:
—The university's e-mail stated only that "a shooting incident occurred" and that the community should be cautious. The report said that could have led recipients to think the shooting was accidental and that it failed to give students and employees the "information they needed for their own protection."

—The warning would have reached more students and employees and "may have saved lives" if it had been sent before the 9:05 a.m. classes began.

—That Tech's warning policy — which is required under the Clery Act — was vague and did not provide the campus with the types of events that would warrant a warning, who would deliver it or how it would be transmitted.

—The university's process for issuing a warning was complicated and not well understood even by senior officials.