If it walks like a duck and quacks like a duck…

At this writing, it has only been about two weeks since Major Nidal Malik Hasan’s murderous rampage in a room full of unarmed soldiers and family members at Fort Hood, Texas. Even writing that first sentence was tough for me as I consider the lives snuffed out by this home-grown terrorist who operated as a leader among them. I realize not all military officers have the same responsibilities, but Major Hasan was a military officer and a leader through his healing profession.

As the victims were still being identified, we were treated to an inaccurate depiction of the massacre starting with the President of the United States and spinning its way through Congress as well as the various media outlets. It started with using the inappropriate term “tragedy” to describe that horrific event. Once invoked by the President, the copycat politicians and scribblers at nearly every print and television media organ settled on the “tragedy” meme.

Anyone with a classical education will tell you the term tragedy was a Greek invention involving a human character who is flawed and not simply evil. He is buffeted by circumstances, fate and the pantheon of Greek gods in his Earthly struggles. Ultimately, he ends up a pitiable victim overwhelmed by the combined natural and supernatural forces that besiege him. In modern parlance, a tragedy is most accurately identified when the elements of happenstance and human destiny create a disastrous outcome. Had the victims of Major Hasan been killed by a freak Texas tornado, the event could possibly be described as a tragedy. As it is, there was nothing “tragic” about this premeditated murder of defenseless people at the base Readiness Center.

Once we reject this slaughter as a tragedy, we can then look to understand the threat — in this case, one Major Nidal Malik Hasan. Those of us steeped in risk management fundamentals know that a threat is either human or environmental. The threat exploits a vulnerability and, in turn, impacts an asset or mission. Sadly, the accurate depiction of a threat eludes many of our elected officials. New York Senator Charles Schumer ran to the microphones after the “tragedy” (his word) to decry the handgun used in the assault, as if the Fabrique Nationale Herstal Five-seveN woke up that morning, decided to kill soldiers at Fort Hood, and went looking for ammunition and car keys in Major Hasan’s apartment.

Now, evidence has surfaced from dozens of Major Hasan’s colleagues, coworkers, patients and superiors that point to a man who was certainly a potential threat. In addition to his e-mails to radicals and terrorist sympathizers intercepted by the FBI, there were numerous first-hand accounts of his attitudes and beliefs, including an entire PowerPoint presentation he developed and presented to Army colleagues. Unlike the expected, “he-was-a-quiet-fellow” musing from neighbors and friends, Major Hasan left us a veritable roadmap that would lead to his nefarious actions at Fort Hood.

There have been many pundits who have speculated on the reasons why his Army superiors choose to either downplay or downright ignore these warning signs, so I won’t cover the possible motives here. The largest single failure was simply a refusal to understand, define and ultimately recognize the threat. Whether through willful neglect or fear of reprisal, his superior officers shoulder a great moral burden today.
Security professionals of all stripes must be willing to challenge their own perceptions of threat. We must make a conscious effort to look beyond our assumptions, prejudices and personal preferences to obtain a clear picture of the empirical likelihood that underpins the risk equation of threat, vulnerability and asset. Once the threat is identified, it needs to be carefully assessed and managed. Many times, you can only seek to patch and mitigate your vulnerabilities since you may not be able to completely control the threat. When dealing with malicious computer code, for example, you do not have the knowledge or ability to have the authors arrested before they wreak havoc on your computer infrastructure. In Major Hasan’s case, however, the U.S. Army had ample warning and the ability to manage the threat lurking within their ranks.

We must all be alert to the signs of an emerging threat. In order to be effective security professionals, we first must give that threat an accurate label. By calling Major Hasan “deranged” or a victim of stress, we have misidentified the threat, and cannot formulate an effective strategy to mitigate the risks he poses. By calling him a terrorist, we have a much clearer picture of not only his motivation, but a better understanding of the destruction possible from such a threat. Let’s call it like it is.

John McCumber is a security and risk professional, and is the author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, please e-mail John at: Cool_as_McCumber@cygnusb2b.com.