How not to respond

March 18, 2010
John McCumber examines the aftermath of the Christmas Day bomber incident

Within hours of Umar Farouk Abdulmutallab’s attempt to bring down Northwest Flight 253 on Christmas Day with his "Fruit of the Boom" underwear, we were treated to a parade of public officials from the President of the United States down to functionaries in federal agencies trying to explain away the incident as an aberration. Background facts began to dribble out of the dead-tree media over the week following the botched attack showing these pronouncements to be at best, ill-advised. For an administration that went immediately to the podium asking America not to jump to conclusions in the wake of the shocking Fort Hood murders, erroneous conclusions were being proffered while we were still escorting the shaken passengers off the aircraft.

Abdulmutallab was initially painted by the administration as an "isolated extremist" who had managed to sneak explosives past the standard screening process, The Washington Post ran a bizarre Page 1 article that quoted some of his adolescent FaceBook ramblings on loneliness and his inability to find a true Muslim friend. Perhaps the Post’s premise was he was the first young man from a wealthy family sent to another country for schooling who felt lonely. Perhaps the editors felt a religious dating service or a pen pal would have helped. Then the head of the Department of Homeland Security popped up on television to say the “system worked.” She later qualified that to mean after the failed attack.

As more information became available in the following days, it became clear that Abdulmutallab was hardly an "isolated extremist" who whipped together a chemical bomb in his college dorm room because he was friendless and bored. Not only was he trained by a terrorist organization in Yemen, he managed to send up more pre-flight red flags than a Chinese May Day parade. Even after his eminently respectable father made pleas to Nigerian and U.S. officials, he was able to travel on a visa with a one-way ticket paid with cash, and did not so much as a check a bag on his international flight.

Just this morning, another government antiterrorism "expert" from a previous administration showed up on the cable news station to endeavor to explain how all these alarms went unheeded. He stated that had Abdulmutallab’s father been able to cite more specific data such as the day of the attack and the actual flight number, this information would have gone right to the top of the priority stack at the Department of Homeland Security. Perhaps. Perhaps not. There’s no proving that would have been the case. His comments were nothing more than vapid speculation and should have elicited a guffaw from the interviewer.

For those looking for a crash course on what not to do in the wake of a serious security breach, there could be no better case study. Here are some key takeaways for security professionals:
- After a serious incident such as this, don’t run out and try to tell your constituents that your security program worked just dandy. Whom are they going to believe: you or their lying eyes? Any explanatory caveats you place on your comments at a later time will sound fatuous and label you a butt-covering fraud. Security breaches happen. Own up to any shortfalls or mistakes.
- If you’re not yet sure of all the facts, say so. Saying there was no "smoking gun" only to have the steaming six-shooter suddenly appear on the Jumbotron behind you makes you appear incompetent. If you don’t know, simply say so.
- If you’ve had your job for more than month, don’t blame the guy who had the gig before you. Laying the rap on your long-gone predecessor does not instill confidence in your abilities. Perhaps they dumped the guy before you because you claimed to be able to do a better job. Now is the time to prove it.
- Develop a solid "get well" plan, and lay it out there. Review the incident, accept the blame for your mistakes or oversights, and most importantly, show exactly how you and your staff are going to both recover from this breach and preclude its recurrence. That’s how a professional does it.

The ability to deliver on an effective remedy is key. In this case, where only a defective chemical primer and the actions of a brave Dutch tourist saved the lives of nearly 300 innocent travelers on Christmas Day, some of these “experts” should be looking for a new career. The only actions that could make a potential remedy worse in this situation is if millions of innocent travelers will be inconvenienced even more because of an intelligence failure. Oh, wait…

John McCumber is a security and risk professional, and is the author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, please e-mail John at: [email protected].
About the Author

John McCumber

John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].