Mumbai's 8/11 is emblematic of a lack of security co-ordination across city, national and private sector organisations. Jyoti Banerjee examines the lessons that the West can learn from Mumbai's 8/11.
Mumbai’s terror attacks at the end of November have created a deep sense of sadness and loss among Indians everywhere. The pictures on TV screens showing casually-dressed young men casually spreading violence and death have been more upsetting than the anonymous bomb blasts that have characterised terrorist attacks in India till now. More than ever, it is possible to reflect on the continuing truth in Barack Obama’s words, spoken about the New York terrorists in 2001: "My powers of empathy, my ability to reach into another's heart, cannot penetrate the blank stares of those who would murder innocents with such abstract, serene satisfaction."
But there is also a growing resolve across the country that India should not be such a soft target for terrorist action. It certainly seems to lack any sort of co-ordinated structure or system that can deal with credible threats and prosecute them with any urgency. Security agencies around the world are already competing for bragging rights regarding who was first to inform the Indians that a sea-borne attack on Mumbai was imminent.
Mumbai’s 8/11 attacks may be felt very deeply inside India right now, but the famous Mumbaikar resilience will show its strength yet once more to bring this famous city back to an even keel. But we should not ignore the lessons that Mumbai’s 8/11 have over here in the West. One of the key lessons from Mumbai’s 8/11 is the need for co-ordination across government and private sector operators in order to deal with security threats. This is a lesson that is still being learned in Europe, and one that needs to be dealt with urgently.
Two points of preamble are in order. First, this blog has no political pretensions whatsoever – and so the focus of its attention is on the need for the protection of critical infrastructure, rather than any political blame-games.
Secondly, I should explain the reference to Mumbai’s 8/11. The Indian press has started referring to the events as 26/11, as the attack started on 26th November 2008. However, this blog has chosen 8/11 as its reference point instead, reflecting the multiple 2008 November dates over which the attack happened, but possibly more importantly because of 8/11’s resonance with New York’s 9/11 and London’s 7/7 attacks.
Critical vulnerabilities
During the Clinton Administration, the President asked a Commission to study the operations and vulnerabilities of US infrastructure. In the foreword to their report, the President’s Commission on Critical Infrastructure Protection found that US infrastructures are so critical to the functioning of the US economy that their vulnerabilities “jeopardise the nation’s national security, global economic competitiveness and domestic well being.”
It is difficult to see that description as any less than true of the European situation, given Europe’s high dependence on information infrastructures. Certainly, Mumbai’s vulnerabilities have been ample demonstration of the truth in the Commission’s statement. Nevertheless, the standard response from many governments around the world has been to do very little, and hope that business-as-usual will deal with whatever security or infrastructural problems emerge.
At first glance, the “business as usual” option seems quite neutral as it is relatively even-handed on issues such as competitiveness, costs for governmental authorities and investment incentives for the private sector (who need to develop the technologies required to improve security, and who usually own most of a nation’s communications, telecoms, and information infrastructure).
Yet, the present situation – in Mumbai, certainly, but also in London, Brussels, Berlin and Paris, but less so in Washington DC - may be characterised in the following ways:
1) Inadequate governance mechanisms for protection against security breaches and threats: There are no common structures in Europe or India for government and private sector organisations to feed in information about threats and to create co-ordinated responses against such threats. Nobody has overall responsibility for dealing with security threats in a manner that co-ordinates the actions of interested and affected parties.
2) Poor collaboration between stakeholders: A respected security specialist told me of a recent test of resilience by the City of Edinburgh, in which there were no co-ordinating communications with London, or any other city. Now the Scottish may want to demonstrate their independence from Westminster at every opportunity, but security threat handling should not be one such area – only the bad guys will be applauding such lack of co-ordination. Mumbai hurt from similar failures where the stakeholders, such as the state and national security organisations, as well as private sector telecoms operators, failed to collaborate with each other.
3) Negative consequences are not matched by risk perceptions – as a result, stakeholders act in ways that impair or hinder security threat management, while believing they are acting in their own interest. For example, in most Western cities, we would never dream of leaving our homes unlocked. But when it comes to our PCs, we often show a remarkable lack of care with maintaining their on-line security. If you think your PCs are well protected, use a tool such as Secunia’s remarkable PSI software to see if it is really as safe as you think it is.
4) A steadily worsening threat landscape with security attacks coming from criminals, terrorists, jihadists and state-sponsored groups. If you think Islamic terrorists are the only problem facing Western security agencies, think again. Russian on-line gangs use the same holes in our security fabric to cheat us, as the terrorists use to kill us. The last point, in particular, should mean that standing still is not a palatable option.
Till recently, the protection of critical infrastructure has been a regional or local concern. However, the connectedness of the information infrastructure, and the consequences of attack like 9/11 in the US have shown that critical information infrastructure protection has to offer a fusion of local, regional, national and international co-ordination.
The “do nothing” option is limited precisely because that fusion of activities by different stakeholders does not happen. A difficulty in creating co-ordination is the need for shared definitions, processes and operations. Each European member state operates on its own with regard to security threat management, with some taking it seriously and others doing very little. Some member states operate central security infrastructure, while others do not. Some have operational mechanisms for reporting critical security threats, while others do not. Confusion in the arrangements in the public sector make it difficult for private sector operators to fit in with protection initiatives.
Collaboration between public and private stakeholders has to improve. In some instances, information sharing is limited because there are legal obstacles to data being moved from one geography to another. However, there are also examples where the data is not being collected in the first instance. For example, information on security breaches is not being collected – banks are the top offenders in this area. As a result, there is very little hard evidence on what is happening with respect to security breaches.
Even if the data was being collected on a national basis, Europe’s “business-as-usual” strategy would mean that there would be very limited sharing of security breach data, to take but one example, with other member states. However, the example of the cyber attack on Estonia in April 2008 demonstrates that not putting in such international co-operation can result in ineffective protection when it comes to attacks on information infrastructure. The Estonian attack, likely from Russian sources, proved to be rapid, fast-moving and quickly scaled up into an international attack.
A related issue is that even when national security agencies identify a threat, it may not be worthwhile for them to prosecute that threat because their stretched resources may be targeted on more popular political issues, such as violent crime. Cyber crime does not have the same penalties as other sorts of crime, nor the same sort of “rewards” for police as making streets safe, or sorting out knife crime in schools. As a result, certain security threats are not worth investigating for regional or national agencies, but would be well worth it for a supra-national organisation.
The “do nothing” option will result in very slow progress on standards and definitions relating to critical infrastructure protection, covering public and private participants. And it will mean that governments across Europe are unable to focus investment in private sector companies into security research where new work is urgently needed. The US experience is that public sector research investments now represent around a quarter of all US investments (down from half in the mid 70s) – but still represents nearly half of all basic science research. It takes research incentives to help private sector organisations make investments in certain areas – at present, those incentives are missing in Europe.
The lessons from Mumbai most recently, but also from Madrid and London and Estonia and New York (the list goes on and on), are such that sitting on our hands and doing nothing is absolutely the wrong choice. The threat landscape is worsening. Let’s make sure that we are doing the best we can to make life as difficult as possible for the bad guys.
Comments