The threat horizon within the context of security risk management continually evolves, writes Jon Roadnight. Threats emerge largely in response to the identification of vulnerabilities. Those vulnerabilities are either perceived or real, but without a vulnerability or weakness, the threat cannot be fully exploited. While the threat might remain theoretical, that doesn’t mean we shouldn’t seek to mitigate it and, depending upon the potential impact the threat might exert, that mitigation might need to include a significant level of resource being committed towards it.
Sometimes, threats are sophisticated and require highly motivated and well resourced actors to exploit them. It could be argued that, the larger the potential gain for the threat actor, the more effort and resource might be applied. Hostile reconnaissance techniques used by threat actors seek to find weaknesses in existing security measures. That process might include reviewing deployed security systems or physical security measures. It might also include looking to understand what the response to a security breach consists of. Is the security response capable of curtailing the security breach and would an unsuccessful breach still offer some form of success?
Particularly in relation to the threat from terrorism, the impact doesn’t always have to be significant for the perpetrator to consider the outcome successful. By its very nature, terrorism relies on generating an atmosphere of fear and it might be good enough to simply bring a vulnerability to the public consciousness for it to have far-reaching consequences.
Action mitigates new threats
On 22 December 2001, an aspiring British terrorist by the name of Richard Reid (also known as Abdel Rahim) attempted to detonate an explosive device packed into his shoes while on American Airlines Flight 63 travelling from Paris to Miami. Reid had calculated that he could conceal enough high explosives within his specially adapted shoes to blow the Boeing 767 aircraft out of the sky, thereby killing the 197 passengers and staff on board, himself included. Thankfully, Reid’s plan failed.
Although nobody was killed or even injured, as a direct result of this episode airlines introduced much more stringent security protocols and passengers were asked to pass through airport security in socks or bare feet while their shoes were scanned using X-Ray machines and chemically tested for traces of explosives.
In 2006, a new protocol was introduced as a consequence of a successful intelligence-led operation orchestrated by UK Security Services. They had uncovered the ‘liquid bomb plot’. The objective of the perpetrators in this case was to blow up a number of aircraft in a co-ordinated terrorist attack that might have been more deadly than 9/11. Once again, the terrorists had identified a vulnerability that they believed they could exploit by taking the component ingredients of an IED on to a flight and then constructing and detonating it while en route from Heathrow to the US.
The immediate response to uncovering this plan was for the UK Security Services to instruct all airlines that no passenger should be allowed to take any hand luggage on board a flight leaving a UK airport. This included any liquid, food and even mobile phones. The ban created massive disruption, with British Airways having to cancel over 1,500 flights in the first week alone.
Quickly, though, the Security Services, in conjunction with the airports and airline authorities, revised the restriction, determining to focus instead on the liquid. Passengers were restricted from carrying any container with more than a 100 ml capacity and, although cosmetics and personal hygiene products meant that each passenger might have a number of containers, the combined volume was still assessed and reduced if felt to be excessive.
Reduction in the risk level
Once again, this was a direct response to a perceived – as opposed to a real – threat once it had been identified and it had far-reaching consequences. The disruption and consequential cost of the mitigation measures was colossal, but the reduction in the level of risk by taking those remedial actions was deemed to be necessary.
As a society, we have been conditioned over many years to accept the impact of apparently necessary mitigation as the ‘cost’ of reducing the amount of risk to an ‘acceptable’ level. Indeed, this approach forms the basis of many risk management methodologies. The internationally recognised ISO 31000:2018 Risk Management Guidelines provides principles, a framework and a process for managing risk. It starts by identifying the inherent risks and, once control measures are applied, the residual level of risk is measured and the difference between the two should represent a reduction to an acceptable or achievable level.
The logic seems simple. Where there is a threat, perceived or real, we work out a way in which to reduce or eradicate it and accept the fact that, sometimes, the cost or disruption of doing so can be significant. The larger the threat, the quicker we tend to respond when it comes to introducing the appropriate mitigation.
Inertia is dangerous
Why, then, are we not dealing with the proliferation of Unmanned Aerial Vehicles (UAVs) or ‘drones’ as they are more commonly known? UAVs pose a significant security threat but, to date, our response has in no way recognised the seriousness of the situation.
The paradox is clearer when compared with the identification of other threats. Based on a range of effective control measures being introduced relating to the sale and storage of explosives, the sale of the components of IEDs, the vetting, licensing and controls around guns and ammunition (in the UK at least) as well as many other potentially harmful items, we’ve seen a trend away from their use and one focused more towards so-called ‘less sophisticated’ terrorist attacks. Driving vehicles into groups of people or attacking them with knives and hammers is the manifestation of a ‘less sophisticated’ attack and, although the impact and the fear that it generates is no less significant, the casualty count probably is.
UAVs offer those who would seek to cause harm and mayhem a broad range of opportunity for both sophisticated and unsophisticated attacks. Without wishing to promote for a second the range of possibilities that exist, we have already seen many examples around the world where UAVs have been used for illicit, criminal or terrorist-related activity. Indeed, the Internet is full of graphic footage recorded by on-board HD cameras. There are many examples where secondary UAVs have been used to record the activity of the primary device, either to verify a mission’s success or purely for the benefit of propaganda.
The threat is real
In August this year, two low-cost UAVs were used in a reported assassination attempt on Venezuela President Nicolas Maduro. Both UAVs carried a payload of explosives that detonated in the air above a large crowd of assembled military personnel. Although there were no reported deaths there were many injured, some of them in the panic that ensued immediately after the explosions.
Last year, Professor David Hastings Dunn from the Department of Political Science at the University of Birmingham wrote an article entitled ‘Small drones and the use of chemical weapons as a terrorist threat’. The threat that Professor Hastings Dunn was alluding to was clear and the subsequent examples from areas of conflict around the world suggest the threat is indeed real.
We would have all seen footage recently on the UK news of prisoners receiving drugs and other illicit items delivered to their prison cell windows via the use of small, very low-cost UAVs. You may have missed, however, the politically destabilising incident that occurred when a small UAV, which had an Albanian flag hanging from its underside, hovered above the playing field during an international football match in Belgrade between two political foes, Serbia and Albania. The match was abandoned and there were many injured in the riot that ensued at the stadium.
Urgent action is needed
In the past, we’ve responded promptly and decisively to the perceived threats associated with a broad range of criminal and terrorist-related activity. Regardless of the disruption and (albeit to a lesser degree) the cost, the response has served to successfully mitigate the potential impact identified.
It’s currently possible to acquire highly sophisticated UAVs that fly at high speed and are capable of being piloted remotely or automatically without any form of registration or licensing. Low-cost UAVs are set to be one of the biggest selling items this Christmas, but most recipients will be ignorant of the rules and regulations associated with flying them.
We’ve already seen near misses at major airports and many examples from around the world of dangerous, criminal and terrorist activity that will inevitably lead to injuries and loss of life. Can we continue to ignore this developing situation?
The Civil Aviation Authority doesn’t have the resources necessary to adequately control UAV usage, while the police service appears to have no appetite to confront the threat that’s posed.
The UK Government and Security Services have previously acted effectively in response to other perceived threats. It’s clear that the threats associated with UAVs are real and, if the present apathy is allowed to continue, our opportunity to mitigate them successfully will have been lost.
Jon Roadnight is Director of CornerStone