The choice of soft targets in recent terrorist attacks in Orlando, Paris, Brussels, and San Bernardino has raised questions about the safety and security of private businesses. What do the managers of typical soft targets — public gathering places such as nightclubs, hotels, restaurants, offices, or public transportation that are particularly vulnerable — need to be thinking about concerning terrorism and active shooter events? How should law enforcement and intelligence services coordinate, work with, and share information with the private sector? And, more broadly, should the United States start a conversation about a cultural shift to consider and adopt a radically higher level of security in daily life?
The Cipher Brief spoke with members of the business community, security consultants, and government officials to explore possible ways businesses can try to mitigate security risks and gauge what kind of conversation the U.S. private sector is having about increasing security in response to attacks, such as the mass shooting at the Pulse Nightclub in Orlando that left 49 people dead and 53 wounded.
The private sector shouldn’t think to “all of a sudden become de facto law enforcement and intelligence collectors because they don’t need to — we have law enforcement and intelligence collectors that can effectively and efficiently respond. That being said, there are ways the private sector can better collaborate, share more information and help make their jobs easier,” The Chertoff Group’s Jayson Ahern, former acting commissioner of U.S. Customs and Border Protection, said.
Experts say although it is highly unlikely the U.S. would move to a level of security vigilance similar to that of a country like Israel, for instance, soft targets will be looking for ways to harden in response to potential threats.
“There will be reverberations from this attack,” Greg Schneider, a security consultant and president of Battle Tested Solutions, said.
Is the private sector prepared?
“The answer is certainly not,” said Kevin Doss, president of security services and training business Level 4 Security and author of “Active Shooter — Preparing for and Responding to a Growing Threat.”
Security consultants and professionals agreed on a few simple steps businesses should take to better try to mitigate risks for business and to try to save lives going forward: Focus on planning, training, and performing a risk assessment or vulnerability assessment of operations. And beyond thinking of ways to potentially prevent or mitigate such events, companies taking security seriously also need a rapid recovery plan to figure out what to do in the aftermath.
“A lot of the private sector has not invested in protecting their personnel and visitors from acts of terrorism or active shooter events. That’s pretty evident when we look at the aftermath of a lot of the shooting events,” Doss said. “Businesses and organizations are not fully taking the threat serious enough to invest in time, procedures, and security measures to mitigate some of the risks.”
On the government side, the Department of Homeland Security said it is leading a major outreach effort to promote security for private businesses. The department has been hosting calls and engaging with private business this week, in particular, and has a long-term program with 100 protective security advisors in every state who work closely with and try to build relationships with industry.
Caitlin Durkovich, DHS Assistant Secretary for Infrastructure Protection, said the advisors help keep businesses in the loop on “developments as it relates to evolving threats, especially given this terrorist-inspired environment we’re living in.” DHS also provides businesses no-cost resources to help them think about improving security, training employees, and leveraging best practices, she noted.
For smaller and medium sized businesses in the wake of incidents such as Orlando, DHS focuses on “passing on recommended practices and things they need to think about to really adjust to the reality of the world that we’re living in. We have certainly entered this phase of not if, but when,” she said.
“We’ve got to help small and medium sized businesses who are resource constrained, who can clearly be overwhelmed by this, and give them the tools to prepare themselves,” Durkovich added.
J.C. Diaz of the Nightlife Association, a trade organization of the nightlife and hospitality industry, said the group has been receiving many calls from members asking for security guidelines for how to respond to such incidents. And since the Paris terrorist attacks, which targeted a concert hall, restaurants, and a sports stadium, the association has “been seeing a lot more venues wanting to get their staff certified for security training,” Diaz said.
“It’s not just the manager or the security, they also want their bartenders or bar members to be certified and trained how to properly engage these type of situations,” he said. “We don’t believe that alcohol and guns mix. We would rather leave that to the professionals, as long as they are licensed, have taken a certification course, and are trained tin the rules of engagement — whether that be law enforcement, security, or the bar staff.”
Ahern, who noted he expects industry will likely “make more robust plans in the wake of Orlando,” said businesses need to “make sure you have a layered approach to security — look at what’s the first opportunity to protect infrastructure.”
“There’s no one size fits all solution, but they need to take a look at the risks, what the most critical asset areas are, and take action,” he said.
A nightclub provides a particularly difficult challenge for security professionals. With these venues, where there is a small crew of employees and a revolving door of people entering and exiting, making sure everyone is on the same page in an active shooter situation is a much more difficult task than it would be in an office space with more naturally stringent security controls.
But properly training security personnel yields another question in light of the Orlando mass shooting, which was perpetrated by Omar Mateen. The shooter, who was employed by private security company G4S, had security officer and firearms licenses. Schneider noted that one of the vulnerabilities that’s currently in the security marketplace is that security guards are certified differently on a state-by-state basis. “There’s no standard to be a security officer at a federal level,” he said.
A different way of doing security?
“In security planning, we are often reactive. A new event happens, we look at our security, we learn from it. An event will expose a new weakness and security steps can be taken. We always have to examine the costs of doing so, though,” Henry Willis, director of the RAND Homeland Security and Defense Center, said.
But moving to a much higher level of security in the U.S., emulating countries such as Israel where it is all-encompassing in daily life, would likely be too costly, both in financial and civil liberty terms, observers said.
“Does Israel do security right? Absolutely,” Doss said. “However, they spend a lot more money on security when it comes to hiring professional staff. Most businesses can’t afford to pay security officers $60,000 a year in salary.”
“Do I think we need to go to that level? Probably for some organizations, yes. But I don’t think across the board we have to. I think we need better training for security officers,” he added.
Ahern noted that in the wake of these events, people often look back at what Israel has done in the past in the face of incidents like nightclub bombings. “But it’s a whole different challenge,” he said, and in the U.S., there is “no appetite” for some Israeli tactics, such as aggressive interrogation techniques, due to civil liberties concerns.
Furthermore, Israel faces an existential threat which is not the case in the United States.
But one thing some U.S. private businesses could adopt from an Israeli model is having security drive revenue, Schneider, a veteran of the Israel Defense Forces who lived in the country for nine years, said.
“They’ve leveraged their security practices into generating more business,” he said, pointing to the success of Israeli airline El Al in particular in promoting its stringent security policies as part of its product. “Forward thinking companies in the U.S. will say, I want to invest more in security, employee and customer experience, and will attract more business by saying, you’ll be safer and secure here.”
But experts agree that active shooter incidents are simply difficult to defend against. “There are too many cases to be acceptable, but at the same point, there are too few cases to draw very large patterns about what causes someone to be violent,” Willis said. A few notable aspects do tie together many of the episodes, Willis added, such as the perpetrator being a malcontent, personal problems and the lack of any public activity that allowed law enforcement to act, he said.
Given that the Orlando gunman was on the FBI’s radar, “we do need to have a discussion that would encompass what we want to do about investigations to prevent terrorism and prevent hate crimes,” he said.
“But, unfortunately, active shooters don’t make themselves easy to identify before they actually commit a violent act,” Willis said.
What, then, can be the way forward for business? “The unfortunate circumstances are, some of these softer targets are still going to be potential targets of opportunity for lone wolves or potential bad actors,” Ahern said.
But, he said, the Orlando attack and other incidents in the U.S. make it clear there is a need for “stronger intelligence, better coordination with intelligence and law enforcement, and to build a stronger role for the private sector.”
Connecting with law enforcement, putting together a plan, training employees, and reporting suspicious activities are necessary to thinking through the reality of the security landscape, DHS’ Durkovich said.
Although it is not feasible to ask every soft target in the U.S. “to have metal detectors and do bag searches,” she said, the government needs to help the private sector “understand this very dynamic threat environment we’re living in.”
“As much as we talk about the motives of what happened in Orlando, we really are living in an environment where we have to work with businesses of all sizes to prepare for the eventuality of such an attack, and how to help mitigate it and manage this risk,” she said.
