30 November 2006

Red Flags: Mobile Data Encryption Policy...

Have any of your executives been waving any "Red Flags" lately? If you are like many CISO's across the globe, you may have to change this to a "White Flag" and surrender.

IDC reports in a recent study, that the projected number of global mobile employees would grow beyond 878 million by 2009. IDC’s report, "Comply on the Fly: Keeping Pace with the Management Challenges of Mobile Data Management," explores whether businesses are implementing initiatives to provide internal controls and address data security risks from mobile device use.

A Recent IDC Report cited at the Business Performance Management (BPM) Forum reminds the CxO's to batten down the hatches on mobile devices. Blackberry is only one of a few companies (RIM) who are being subjected to greater pressure to provide encrypted data at the device level.

The IDC report contained the following information:

* Nearly half of all respondents report that a minimum of 25 percent of all mobile devices in their organization carry mission-critical applications and information.

* Forty percent of respondents have no measures at all to manage mobile data tracking, backup and archiving for regulatory compliance purposes.

* Smaller companies ($100 million in revenue and under) face a greater risk of violations, with just 32.4 percent implementing formal mobile compliance policies.

* There is disconnect between IT executives who recognize mobile device compliance and security risks, and C-level executives who see benefits, not risks.


Yet it seems that employee's will not obey or even heed the policies set forth by their enterprise to try and protect customer information and valuable intellectual property. Thousands of laptops and other PDA's are left in taxi cabs as "On The Go" executives run for their meetings, interviews or flights.

In this digital age, the value of information on these stolen or lost devices is increasing and the losses to the enterprise far exceed the replacement of the phone, PDA or laptop. The loss extends to the notification of the customers who have exposed Personal Indentifiable Information. Studies by the Ponemon Institute have calculated this amount to be $182.00 per record.

According to the study’s 2006 findings, data breaches cost companies an average of $182 per compromised record, a 31 percent increase over 2005. The Ponemon Institute analyzed 31 different incidents for the study. Total costs for each ranged from less than $1 million to more than $22 million.

The 2006 Cost of a Data Breach Study tracks a wide range of cost factors, including legal, investigative, and administrative expenses, as well as stock performance, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions. "The burden companies must bear as a result of a data breach are significant, making a strong case for more strategic investments in preventative measures such as encryption and data loss prevention," said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. "Tough laws and intense public scrutiny mean the consequences of poor security are steep—and growing steeper for companies entrusted with managing stores of consumer data."


The CxO on the go now realizes the importance of encryption for all mobile devices. Unfortunately for those few who still have not reallocated the funding to accomplish this important task, may cost millions more.

In yet another instance of laptop theft potentially endangering personal data, Kaiser Permanente Colorado is notifying some 38,000 members of a possible breach of their private health information.

The information was located on a laptop stolen from the personal car of a national Kaiser Permanente employee in California, reports the Rocky Mountain News and other media outlets.


Let's see: 38,000 x $182.00 = $6,916,000.00 in operational losses.

27 November 2006

Backdating: Culture Makes All the Difference...

Looking back upon your last stock option exercise, did you realize the price you were granted was backdated? If you did, then your ethical misbehavior is just another example of how corporate compensation is bringing the house down. The question now remains, how many more companies will be announcing that they need to restate their numbers for the latest financial period.

Affiliated Computer Services replaced CEO Mark A. King and CFO Warren D. Edwards on Monday, saying they had violated the company’s "Backdating" code of ethics for senior financial officers, as the company completed an internal investigation of its stock option-granting practices.

The Dallas-based outsourcing company named COO Lynn Blodgett as the new chief executive, and John Rexford, the company’s executive vice president of corporate development, as the new chief financial officer.

Mr. King and Mr. Edwards are just the latest of about 60 corporate executives who have been pressured to step down as companies have probed their stock option grants and the backdating of those grants to benefit executives. The options fallout has ensnared more than 150 companies so far.

The two ACS executives resigned effective Sunday and entered into separation agreements with the company.


You can bet that anyone who is now considering a new position where stock options will be part of the compensation package will question the ratio between incentive in stock and the cash bonus. Incentive compensation is the root of much of the corporate malfeasance we have all witnessed over the past five years. And if you look at where this story really begins, you have to look hard at the compensation consultants, head hunters or just plain human resources processes.

When you look at the way people are compensated, you generally can figure out what type of behavior you are trying to influence. The corporate governance of our companies continues to see new fraud, new corruption and a continuous stream of finger pointing. A Code of Ethics is easy to create and yet much more difficult to get people to follow. What would Warren have to say about it?

Warren Buffett's "Tone at the Top"

A few months ago, Warren Buffett sent this memo to managers at Berkshire Hathaway:

To: Berkshire Hathaway Managers ("The All-Stars")
From: Warren E. Buffett

Date: September 27, 2006

The five most dangerous words in business may be "Everybody else is doing it." A lot of banks and insurance companies have suffered earnings disasters after relying on that rationale.

Even worse have been the consequences from using that phrase to justify the morality of proposed actions. More than 100 companies so far have been drawn into the stock option backdating scandal and the number is sure to go higher. My guess is that a great many of the people involved would not have behaved in the manner they did except for the fact that they felt others were doing so as well. The same goes for all of the accounting gimmicks to manipulate earnings - and deceive investors - that has taken place in recent years.

You would have been happy to have as an executor of your will or your son-in-law most of the people who engaged in these ill-conceived activities. But somewhere along the line they picked up the notion - perhaps suggested to them by their auditor or consultant - that a number of well-respected managers were engaging in such practices and therefore it must be OK to do so. It's a seductive argument.

But it couldn't be more wrong. In fact, every time you hear the phrase "Everybody else is doing it" it should raise a huge red flag. Why would somebody offer such a rationale for an act if there were a good reason available? Clearly the advocate harbors at least a small doubt about the act if he utilizes this verbal crutch.

So, at Berkshire, let's start with what is legal, but always go on to what we would feel comfortable about being printed on the front page of our local paper, and never proceed forward simply on the basis of the fact that other people are doing it.

A final note: Somebody is doing something today at Berkshire that you and I would be unhappy about if we knew of it. That's inevitable: We now employ well over 200,000 people and the chances of that number getting through the day without any bad behavior occurring is nil. But we can have a huge effect in minimizing such activities by jumping on anything immediately when there is the slightest odor of impropriety. Your attitude on such matters, expressed by behavior as well as words, will be the most important factor in how the culture of your business develops. And culture, more than rule books, determines how an organization behaves. Thanks for your help on this. Berkshire's reputation is in your hands.


What kind of culture exists in your organization?

23 November 2006

Human Factors: Pandemic Fear & Y2K...

Organizations are running around looking for quick answers to "Pandemic Planning." Is this the next Y2K? Many agree that it is not the same threat and more are convinced that specific losses to personnel will have significant impact on operational risk factors.

And yet there is a standard waiting for any organization who wants to increase it's Business Resilience, regardless of the origin of the "Virus."

BS 25999-1:2006 is a code of practice that takes the form of guidance and recommendations. It establishes the process, principles and terminology of business continuity management (BCM), providing a basis for understanding, developing and implementing business continuity within an organization and to provide confidence in business-to-business and business-to-customer dealings.

In addition to the above, it provides a comprehensive set of controls based on BCM best practice and covers the whole BCM lifecycle.

BS 25999-1:2006 has been developed by practitioners throughout the global community, drawing upon their considerable academic, technical and practical experiences of BCM. It has been produced to provide a system based on good practice for BCM.

It is intended to serve as a single reference point for identifying the range of controls needed for most situations where BCM is practiced in industry and commerce, and to be used by large, medium and small organizations in industrial, commercial, public and voluntary sectors.

BS 25999 will be published in two parts:

* BS 25999-1:2006 Code of practice for business continuity management
* BS 25999-2:2007 Specification for business continuity management.


The standard, just as ISO 27001; is designed to provide both the guidelines for best practice and the mechanism for auditing and testing the controls. A management system with a continuous quality lifecycle provides the organization with a cultural catalyst to enable change.

The simple question “Have you achieved your BS25999 accreditation?” will prove to be a powerful driver for both public and private sector organisations and the wrong answer will have severe adverse consequences, costing money and credibility, customers and competitiveness.

A truly independent and accessible Standard for Business Continuity has been long overdue, but now its here we all need to take on board the challenges and opportunities it presents and help organisations build resilience to this new standard nationally and indeed internationally. By doing so we will all be able to drive and at long last firmly establish Business Continuity into the mainstream activity of organisations of all types and sizes increasing their resilience and finally creating real Continuity.


Organizations who are waving the panic flag for increased resources and funding to address the future of a "Pandemic" should look closely at the behavior that drove them to the brink of Y2K. A world wide panic, millions of dollars invested in redesigning software applications and then at the apex of the millenium, a huge sigh of relief. Or was it the sounds of disappointment? And in the after action reporting and for the next two years an Internet revolution was born. Our applications were reengineered and the next generation of innovation was born for companies to serve customers in ways they had never dreamed.

A strategic investment today in "Pandemic Planning" and Continuity of Operations will have the long-term benefit of creating a stronger and more survivable organization. In fact, this time the emphasis will not be so "Tech-Centric" but "People-Centric". Who is "Core" to our business? What processes are necessary to run the business and who are the people we really need to support those processes? Everytime you run a new exercise or test your contingencies you are learning how and what are the fundamental items that have been overlooked.

The Human Factors are in play this time. That makes it more unpredictable and more unreliable. More importantly, it becomes necessary to put your employees through some of the most stressful training they have ever had to endure. Imagine telling your "Core" they can't leave work for the next month. What people do you have on your team that will give up that much time and isolation from close family members? The fact is, you won't know until you see them under fire. You won't know if all of the training made any difference until you see your people perform under the most demanding and emotionally challenging circumstances.

You better start now. And you should be prepared to see some of the most shocking human behaviors you have ever witnessed. The people you never expected to be heroes will be. The most brave and macho people on the outside are often the first to run and hide. Fear is a phenomenon that enables some and paralyzes others. Your job is to find out how it affects those you choose to lead your organization during the multiple waves of "Pandemic Attacks" just over the horizon.

17 November 2006

Enterprise Resilience: Investing in Intellectual Capital...

This weeks 21st Annual OSAC (Overseas Security Advisory Council) Briefing was entitled Global Resiliency: Operating in Challenging Environments.

The United States Department of State Bureau of Diplomatic Security sent a clear message that Enterprise Resilience is going to be a major theme moving forward as global firms experience extended supply chains. As this footprint becomes more expansive and spans multiple continents, so too are the operational risks. The conference was opened by Ms. Deborah Wince-Smith of the Council on Competitiveness who presented a case for why private sector CEO's should care about this strategic initiative:

There are at least four reasons why CEOs should care about integrating security and resilience into their business strategy.

1. Business risks are growing, irrespective of 9/11 and the threat of global terrorism.

2. Resilience, in the face of increasing risk, is a shareholder value issue.

3. New corporate governance rules may mandate more rigorous integrated management systems than are currently in place.

And for many firms, operational risk management is not a priority. According to recent surveys:

Only 36% of U.S. CEOs believe that risk management is a priority concern, versus 45% of European CEOs and 67% of Asian CEOs (Conference Board, 2006).

Only 25% of Directors of non-financial companies report that the Board considers all major risks to the company, versus 55% of financial industry directors (Conference Board 2006).

During the past 12 months, 1 in 5 companies surveyed suffered significant damage from a failure to manage risk and over half had experienced at least one near miss (Economist Intelligence Unit and Lloyds, 2006).

4. Industry continues to face a risk of reactive regulation for homeland security.

5. Empirical evidence from the case studies highlight missed opportunities to leverage security investments to increase efficiencies and revenues.


The conference also had keynotes from our own (DNI) Ambassador John D. Negroponte and the CEO of Archers Daniel Midland, Patricia Woertz who made a case for the "Chief Resiliency Officer". Yet the most compelling remarks and insight comes from someone who has lived on the front lines for decades. Someone who understands the threats corporations, NGO's and governments face on the new global battlefield. Henry (Hank) Crumpton is now the Ambassador-at-Large and Coordinator for Counterterrorism after joining the CIA in the early 80's. He led the CIA's Afghan campaign in the first critical months of this new strategy against "Non-State Actors."

These small, nimble and flexible attack units known as "Micro-Actors" can deliver "Macro-Impact" using cover of corporations, exploiting our modern transporation and communications networks and gaining new 4th generation weapons. We must realize the innovations and the technologies we create will be utilized against us.

Here are some words of wisdom from one of the most admired and fearless patriots of the United States:

1. We must begin investing more in our own Intellectual Capital and to better understand the enemy.

2. We must build interdependencies and strong interdependent networks. (People)

3. People need to demand more from government to build stronger partnerships.

4. The private sector needs to give more to the government. (Intelligence)

5. We need more leadership.


Resilient organizations learn and adapt. It changes and morphs as new risks evolve. Given the new revolution of protection converging with recovery, we can only pray that business leaders finally realize that this is not about mitigating losses. It is about putting on a new pair of glasses with a new prescription that is perfect. Clarity of the new lens allows people to see that new found investments can Enable Global Enterprise Business Resilience.

14 November 2006

Single Points of Failure: Interdependencies Unkown...

The Private Sector is putting it's money where it's mouth is pertaining to increasing it's Business Resiliency. The Business Roundtable has been an advocate of it's Fortune 500 member CEO's to create memorandums of understanding (MOU) to utilize in the event of a significant disruption in critical infrastructure.

Now they have gone a step further and created Partnership for Disaster Response in order to deal with the potential operational risks associated with natural catastrophes and other events such as the terrorist events in Madrid, London and New York.

In May 2006, the Partnership became a Business Roundtable Task Force, and Robert L. Nardelli, Chairman, President and CEO of The Home Depot was named chairman. Since then, nearly 30 CEOs have joined the Task Force.

The Partnership for Disaster Response is working to develop plans and identify deployable resources for the four key phases of disaster response:

* Prepare – Establish business continuity plans, employee assistance and volunteer programs, community partnerships with local and national responders, and other programs or channels that can be activated when a disaster strikes.

* Respond
– Mitigate the impact of a disaster by immediately collecting and transporting food, safe drinking water, and other needed supplies.

* Recover – Deploy volunteers, financial support, goods and supplies, heavy equipment, technology, and other assets to accelerate the restoration of order and critical infrastructure to affected communities.

* Rebuild – Sustain the long-term rebuilding efforts and restore housing capacity, jobs, community assets, and environmental resources damaged and destroyed by disaster events.


The Partnership is focused on preparedness in anticipation of a disaster because no one has control of "Mother Nature". Yet all of this kind of preparation will not help deter nor detect the expanding risk to the global enterprise from the threats from people. Yes, the training on what to do in the event of an incident is valuable for the reaction and recovery time, it does little to prepare and train individuals on the "Cues" and "Clues" that an attack is being planned or ready to be executed.

The global companies focused on disaster response also need to balance this with advanced methods of intelligence collection and the use of sensors to detect any deviations from the norm. Four critical components for this proactive mindset must exist for an organization to survive:

1. Intelligence

2. Investigation

3. Readiness

4. Training


Organizations such as WashingtonDCFirst exist in our Nations Capital to address the need for a coalition of private sector companies to work on being proactive, not reactive. This requires leadership to focus on the critical interdependencies you share with your large corporate neighbor down the street or around the corner. Do you both share the same Central Office from Verizon? Do you have the same pumping station for DC Water? Do you have a shared sub-station for power from Pepco? If you do then you both know some of your Single-Points-of-Failure.

While you may never be able to put up enough walls, fences and locked gates to totally protect your single-points-of-failure, you can create an architecture that deters attacks and detects changes. And if you do have an alert or alarm go off then you must investigate the incident no matter how insignificant it may be. Those organizations who believe that they are not in the bulls eye of some worthy adversary should pay attention. Your competitors and even your neighbors realize that this game is not always about eliminating threats to your own corporate assets. It's about making sure that the attackers choose a much more vulnerable target than your own.

12 November 2006

Safeguards Rule: The ID Theft Battle...

Unlike Europe and other forward thinking regions of the globe, the United States is still wrestling with a national data security and privacy law. If the new democratic powerbase is successful, the ID Theft and privacy battle ground will now shift from a corporate focus to a more consumer focus.

A new ID theft task force comprised of 17 US Government agencies has been working on a strategy report that is due by February 2007. It will be highlighting "ID Theft Red Flags" or rules that need to be addressed when they occur. The Federal Trade Commission (FTC) will be gearing up enforcement on those companies who provide PII (Personal Identifiable Information) Intel such as they did this past year with ChoicePoint and others.

Organizations are being pressured to retain data longer, up to two years as a more modern FISA (Foreign Intelligence Surveillance Act) is contemplated. This will assist law enforcement and corporate security departments in evidence collection and investigative process to detect and defend our company assets and national security from "Lone Wolf" terrorists and everyday fraudsters, counterfeiters or pirates. If you are currently a consumer using Vonage, Skype or someother VOIP service, you can bet that all of your calls are going to be accessible for some time to come.

As the Federal Civil Rules on Electronic Discovery change December 1st, the records retention policies and data categorization or mapping exercises will be in full swing. If they aren't, be prepared for quick judgements and settlements from your organization if your litigation readiness factor is in the red or even the yellow zone. In terms of your 3rd Party or outsourced relationships, you can bet that a SAS 70 Type II will not be enough to ensure that your partner has been doing enough to protect your customers PII.

So what does all of this mean? SO What!


It means that the 8 Million+ small and medium enterprises in the US will be subjected to the FTC scrutiny on the SafeGuards Rule:

According to Orson Swindle, former commissioner of the U.S. Federal Trade Commission,

We're going to probably see a broadening or extension of the safeguard rule in the Gramm-Leach-Bliley Act to cover a significant number of organizations that handle sensitive information but that aren't financial services institutions. There is a new awareness that personal information is very valuable, and it needs to be protected whether we're talking about a financial institution or a university or a shoe store.


As the committee's in congress are sorted out and the first 100 hours of the new Democratic regime take hold, don't be surprised if your organization is now in the cross hairs of the governments regulatory enforcement teams. The US Attorney in your jurisdiction is ready to begin a new era to get business to invest in soundness and safety, even if you are not traditionally a highly regulated entity. You think ID Theft is just another bother?

Woe to you, friend, if that's your attitude. Data security may be dead in Congress this year, but the Federal Trade Commission is on the case, and that could mean trouble for lax companies.

"The FTC has stepped into the void," said Emilio Ciividanes, a partner in Venable LLP. "And every proposal for comprehensive legislation has the FTC playing an important role."

For one thing, the commission is now putting its finishing touches on its ID Theft Red Flags Rule, requiring that companies spot and address identity theft risks.

What would constitute a red flag? If there are multiple addresses for a credit-card holder, according to Joel Winston, associate director of the Privacy and Identity Protection division of the FTC's Bureau of Consumer Protection, speaking at DMA06 in San Francisco.

And the FTC is aggressively pursuing companies for allowing security breaches to occur or for not having protections in place. And why not? It is getting 15,000-20,000 consumer messages a week through its Identity Theft Website and telephone number.


If you are one of the millions of Small to Medium Enterprises (SME) in the United States without a full-time Chief Information Security Officer (CISO) you may be at significant risk. Especially if your General Counsel has little or a non-existent relationship with the person you have charged with keeping the networks running and the infrastructure maintained. Be forwarned. The next new hire in your organization may be a lawyer with a CISSP or even a person with a MIS and a J.D. degree. In either case, the government is going to come knocking and your reputation is on the line.

06 November 2006

Foreign Corrupt Practices: Oil, Corruption & Borat...

Global commerce is on an upward curve of growth as the planet becomes flat or smaller based upon the increasing speed of business. Transportation, Technology and Telecommunications has spawned the reach for many U.S.-based enterprises who desire to trade products or services overseas. The Gas & Oil Industry and Energy sector have been the most scrutinized public companies for their business practices over the past three years.

Operational Risk in the Energy Sector and others could be blind-sided by the Foreign Corrupt Practices Act (FCPA) in the years to come as they race to do business in Kazakhstan and China. Here is a lesson for aggressive marketeers and business developers who will need to be wary of their business protocols and procedures when engaging in international commerce.

"So you think it's easy to stay out of jail? John MacLellan doesn't. The regional finance director of Microsoft Corp. in Asia, MacLellan is responsible for ensuring compliance with the U.S. Foreign Corrupt Practices Act (FCPA), a law that exacts strict penalties for giving or taking bribes at overseas operations. While the software giant boasts a robust internal-compliance program, recent FCPA enforcements (including actions against Titan Corp. and InVision Technologies) suggest a new urgency in the U.S. government's enforcement of the law.

Complicating MacLellan's job: in the People's Republic, it's not always clear who you're dealing with. A U.S. executive might treat a customer to a business dinner without ever knowing that one of the guests is a low-level ministry official. "We face a large number of very complex deals in China," MacLellan says. "Because of the size and influence of the government, we're exposed [to the FCPA] from the start."


The Kazakh government is getting plenty of publicity this week due to a new movie launched this past weekend named "Borat: Cultural Learnings of America for Make Benefit Glorious Nation of Kazakhstan". Simultaneosly, the country is the focus of an oil, cash and corruption probe.

"In February, the United States attorney’s office in Manhattan is scheduled to go to trial in the largest foreign bribery case brought against an American citizen. It involves a labyrinthine trail of international financial transfers, suspected money laundering and a dizzying array of domestic and overseas shell corporations. The criminal case names Mr. Nazarbayev as an unindicted co-conspirator. The defendant, James H. Giffen, a wealthy American merchant banker and a consultant to the Kazakh government, is accused of channeling more than $78 million in bribes to Mr. Nazarbayev and the head of the country’s oil ministry. The money, doled out by American companies seeking access to Kazakhstan’s vast oil reserves, went toward the Kazakh leadership’s personal use, including the purchase of expensive jewelry, speedboats, snowmobiles and fur coats, federal prosecutors say."

As American companies seek partnerships, acquisitions and IPO deals they must comply with FCPA or suffer the financial or political consequences. Even in the middle of all of the movie hype and the legal depositions the country of Kazakhstan has been elected to join the UN Economic and Social Council:

Kazakhstan says it has become the first Central Asian country to be elected a member of the UN's Economic and Social Council (ECOSOC).

The Kazakh Foreign Ministry says in a statement the vote took place at the UN General Assembly on November 2.

Kazakhstan will represent Central Asia in the 54-member UN body for the next three years. ECOSOC is the UN's central forum for discussing international economic and social issues.


02 November 2006

Intelligence Fusion: The Race Against Time...

Human intelligence may be the most sought after way to prevent new threats to your organization. Yet that is never enough to give you total peace of mind. You have to implement multiple collection points for real-time and relevant information. The front line of intelligence analysis begins far in advance of the actual event or incident taking place. Companies like QL2 have provided some of the tools to detect the presence of new and relevant information in the millions of web sites across the Internet. They assist CxO's in navigating their operational risk strategy execution across a competitive and increasingly threatening global landscape.

Now that people have cameras on their telephones, now even the common citizen can be collecting relevant intelligence or evidence of an incident in progress. Yet how do you sort through the thousands of sources without automation. Television crews are standing by in vans, helicopters and other Satcom vehicles listening to the EMS and Police scanners. Their ability to be on scene of a potentially threatening situation is now becoming a new strategic tool for those sworn to protect our country from a future terrorist attack.

CriticalTV is a comprehensive Web-based television search and monitoring service that allows users to search, track and view critical information from television news. The platform provides real-time monitoring and email alerts for organizations that require up-to-the-minute news and alerts on any term or subject. CriticalTV alerts users about a relevant clip seconds after a broadcast, and allows users to share the clip instantly within a workgroup via secure video-email or a private video gallery. Users can also order a professional transcript or hard copy online.

Critical Mention announced today that it has been awarded a multi-year contract to provide the FBI with a real-time web-based broadcast monitoring service. The service will generate automatic real-time alerts and enhance the ability of the FBI to search
international, national, and local broadcasts for critical issue media coverage.


The fusion of intelligence from the Internet and broadcast media requires not only sophisticated software, hardware and talented analysts, it requires good old fashioned investigative tactics. And when you combine all of these to create the closest version of reality, then you have found "Integrity." Keeping information confidential is a difficult task. Assurance that the information will be there when you need it also equally important. Yet it is the "Integrity" of the information that we are in constant pursuit of.

Data fusion involves the exchange of information from different sources—including law enforcement, public safety, and the private sector—and, with analysis, can result in meaningful and actionable intelligence and information. The fusion process turns this information and intelligence into actionable knowledge. Fusion also allows for relentless reevaluation of existing data in context with new data in order to provide constant updates. The public safety and private sector components are integral in the fusion process because they provide fusion centers with crime-related information, including risk and threat assessments, and subject-matter experts who can aid in threat identification.


The Private Sector is still the biggest challenge. Trusted relationships need to be continually fostered. New mechanisms for public-private coordination are consistently being discussed. At the heart of the matter is this. Five years after 9/11 we have had a close call this past August.

A group of alleged terrorists arrested in London in August planned to blow up airliners over U.S. cities to maximize casualties, rather than over the Atlantic Ocean as many intelligence officials originally thought.


Fusion Center's are not the only answer. It remains a significant piece of a very complex operational security challenge that we will be facing for still years to come.