Why do we still wait until a tragic event occurs before taking meaningful preventive action? To say simply that this is human nature is unsatisfactory. The truth is, American society places more importance on making money than it does on the security of the general public.
Some of us remember the '70s scandal involving the Ford Pinto's exploding gas tank. An internal Ford memo revealed that upper management knew about the design flaw and the potential danger, but chose to deal with the possibility of lawsuits rather than the certainty of lost profits if they retooled the line. In the words of Michael Corleone, “It's not personal, Sonny. It's strictly business.”
For too long, we viewed these “oversights” as unfortunate lapses in judgment on the part of individual senior executives. The Enron debacle was primarily a financial disaster, but it had the secondary effect of weakening our critical infrastructure. In the last 10 years, federal regulations such as HIPAA, GLBA and SOX have been implemented with a goal of establishing and enforcing information security standards for the government and the private sectors. These regulations are necessary to compel action.
Once I believed that federal regulations were unnecessary for the private sector. I believed, as Adam Smith wrote in 1776, that the “invisible hand” of free-market competition would force corporations to protect their own self-interest. I agreed with Herbert Spencer, who coined the term “survival of the fittest” in 1851 in support of free-market competition. Both of these renowned economists would oppose federal regulations that inhibit capitalism and the free market. But I no longer wholeheartedly subscribe to their theories.
Free enterprise and capitalism have been the engines behind our country's development into the world's only superpower. However, I reject the idea that the security of our nation, our communities, and our families should be left to the equity of Smith's “invisible hand” or Spencer's “survival of the fittest.” In today's world, someone decides who is fit and who is not. Consider the shortage of H5N1 flu vaccine. We have enough vaccine for about 25% of the population of the United States . In the event that bird flu becomes a pandemic, who gets the vaccine? According to Smith and Spencer, it will go to the rich and powerful. Federal regulations, although certainly imperfect, are the best chance for those who need the vaccine the most—the elderly and children—to receive it.
We must take preventive actions to better secure our nation, our communities, and our families from natural and man-made threats. To do this, we must recognize the opportunity of ordinary days. Ordinary days are those days before the tragic event occurs. They allow us the opportunity to plan and to implement effective controls. It is our responsibility to identify, educate, organize and direct our available resources to better protect our country, our organizations, and our families from natural disasters, disease, and those who would do us harm.
If you manage security for a small or mid-size business, you may think that what you do or don't do to prepare your organization for disaster has no effect on the big picture. But it does. I remember reading an anecdote about a man and his friend walking together along a beach strewn with shells and starfish that had been washed ashore. Each time they walked past a starfish, the man would stop, pick it up, and hurl it back into the ocean. After watching this several times, the friend commented, “You know that hundreds of starfish are washed ashore each day. You're wasting your time; throwing one starfish back just doesn't matter.” The man replied, “But it matters to this one.” Small victories are the essence of ordinary days. There are no reporters and no cameramen, but the voice inside of each of us says we did the right thing.
I don't want to tell you what to do or how to think. I am an advocate of education and awareness. But the threats facing us are real, and the timeliness of our response may save lives, whether the disaster is a terrorist act or an epidemic. Choosing to remain poorly informed about today's natural and terrorist threats is irresponsible, particularly when there are organizations willing to educate you on issues ranging from bio-terrorism to protecting our critical infrastructure. If you choose to be an active participant, you can carve out a role for yourself to suit your circumstances.
So, who are these guys? While there are many such organizations, I am going to highlight two for your consideration:
• InfraGard is an FBI program that began in 1996 as a local effort to gain support from the information technology industry and academia for the FBI's investigative efforts in the cyber arena. The program expanded, and in 2003 became a national initiative. InfraGard and the FBI have developed a relationship of trust and credibility in the exchange of information concerning various terrorism, intelligence, criminal, and security matters. It is the goal of InfraGard to improve and extend information sharing between private industry and the government, particularly the FBI, when it comes to critical national infrastructures. See www.infragard.net.
• United States Private and Public Partnership or USP3 (formerly SWERN and SEERN) is under the auspices of the Department of Homeland Security and the FBI Intelligence Section. Membership is vetted and projected to reach 200,000 in 2006. One of the primary functions of USP3 is participation in the All Hazards Alert process, which
-improves information sharing with emphasis on the private sector
-leverages federal, state, and local resources
-provides regional autonomy to allow each area to address specific regional concerns
This expanded communications network provides a means of informing public- and private-sector partners about current and relevant threats and vulnerabilities. It is a goal of USP3 to better connect private-sector partners with real-time information flow and situational awareness to increase the overall level of security, regardless of the threat.
It is better to know than not to know. It is better to act than not to act. Unfortunately, each of us will face some form of medical, natural or man-made tragedy in our lifetime. Our response could save lives. We should all use the opportunity of ordinary days to prepare.
Bob Wynn is the former director and state chief information security officer for the State of Georgia . His 20 years in the security field include experience in senior security management, infrastructure protection, computer crime investigations, policy writing and achieving compliance with federal regulations. For six years, Mr. Wynn has been an instructor at the FBI National Academy in Quantico , VA , specializing in cyber-terrorism, trends in computer crime, and the behaviors and the motivations of computer-aided criminals.