Two days ago I attended a security briefing organised by US State Department’s Overseas Security Advisory Council, together will security directors of many American firms for China and Asia Pacific.
During the course of the event, a speaker asked the audience who had their budget slashed, many hands raised. The next question on personnel cut also saw many raised hands.
Last week’s Global Security Asia, a large biannual security tradeshow and conference in Singapore, was conspicuously much quieter than the same event two years ago. A few police officers from another country whom I spoke to earlier told me that their planned trip was cancelled because of the budget freeze.
In the downturn, it is normal that many organizations are cutting budgets and staff. But weakening your own security capabilities, no matter you are public sector or private company, is only going to be counterproductive.
A particular problem is the security threats caused by layoffs. When the newly unemployed lose hope in finding new jobs, they start to take revenge against their previous employer or the society.
Analysts believe as the crisis deepens, the number of economic protests, some of which violent, will continue to rise. The Wall Street Journal recently said that “as China’s jobless numbers mount, protests grow bolder”.
In China, the number of unemployed workers had risen from five million to 20 million between New Year and end February, and the figure is estimated to be 25 million now and continues to rise. It is also estimated that only five per cent of them stayed in their villages after the Chinese New Year holidays – the majority still came back to cities where jobs are now scarce.
At the OSAC conference, the gentleman who sat next to me runs the security operations of a large IT hardware company in China, where they hire more than 40,000 employees. Recent dwindling orders have forced them to cut jobs, and it is a headache ensuring how this is done smoothly without causing much upheaval.
Several executives of an American company was held hostage at their manufacturing facilities in China, amid an impasse in layoff negotiations. On March 12, a retrenched worker in Guangzhou stabbed two senior staff of his jewellery factory to death before killing himself.
Last November, an engineer in Silicon Valley shot three of his colleagues dead after he was fired by the company. The casualties were the CEO, the Vice-President and the Director of Human Resources.
And some people choose to target organizations which they believe are to blame for the whole crisis.
Just last week, an individual who blamed the US for his recent retrenchment had smashed glasses of a few cars outside the US Embassy in Beijing before he was apprehended. A few weeks earlier, someone crashed his car into the gate of the same Embassy for the same reason.
In January, a man wearing a vest of firecrackers tried to detonate the explosives at a police station in Shanghai, killing only himself.
China is currently training directors of 3000 county-level Public Security Bureaux (local police forces) to deal with the crisis.
A friend of mine, who works for a major financial company here in Hong Kong, had a colleague who was recently dismissed. The newly unemployed lady turned up in the office the next week with a huge white bag. The whole office was in fear of possible retaliation by her and nobody could concentrate on their work during the two hours she was there.
It later turned out she was only there to take her belongings, but nevertheless caused a significant loss of productivity to the company. Who would expect employees who fear both job security and personal security to work productively?
And it is not physical security which is more stressed, a recent survey by Symantec and Ponemon Institute showed that among the employees who lost or left a job in 2008, more than half admitted to have stolen confidential company information, such as customer contact lists.
Rajendrasinh Makwana, a former UNIX contractor for the American mortgage giant Fannie Mae, implanted a logic bomb in the company’s network after he was fired last October. The “bomb” would have been activated and irretrievably erased all the company’s records on January 31 this year.
By pure luck, another programmed discovered and script and disabled it. Otherwise it would have shut down the organisation for at least a week and cost millions.
While none of these problems is new, they are becoming more common because of the downturn, and thus require more attention. Layoffs are major decisions to make, therefore they deserve proper risk analysis and relevant mitigation measures put in place.
And to slash on security is probably the last thing you want to do.
View/Add Comments
Many are familiar with the story about space pens. It basically goes like this:
“During the heat of the space race in the 1960’s, the United States’ NASA decided it needed a ballpoint pen that could write in the zero gravity environment in their space capsules.
After considerable research and development, the Astronaut Pen was developed at a cost of approximately a million dollars. The pen worked well, and even enjoyed some success as a novelty item back here on Earth.
The Russians used a pencil.”
The story was not true (as most jokes are), but it highlighted an issue that is worth some thoughts – why do we need complex systems when sometimes simple solutions can achieve the same, if not better, results?
I recently visited Global Security Asia exhibition, the biannual showcase in Singapore of the latest security technologies.
As in the same event I went for in 2007, there were lots of amazing developments there, but what struck me the most was a small stand without anything running on battery or power cable – instead they had a lot of greenery.
A closer look revealed that they were no ordinary plants - each branch was hard and prickly.
Jean-Marie Zimmermann, who managed the booth, brought out a few brochures (no computer demos), and explained to me how these plants protect assets and borders.
The company Zimmermann works for produces “La Clôture Végétale” – a plants weaving technique which produces effective and yet natural (read: green) intrusion prevention at the perimeter.
There is no solid physical support for ladders; branches close to the ground prevents crawling; its complex weaving means it can’t be cleared unless by hours of (cautious) work or extremely violent means (such as bulldozers). In addition, the running costs are kept minimal and the system is supported by the plants’ roots in the ground.
Sensors can be woven into the mesh and anti-ram barriers can be hidden in the plants. These additional protection measures invisible from outside create big trouble for intruders.
The names beberis julianae, Gleditsia triacanthos and ligustrum ibota gave me the illusion of being in a Roman-era garden. Nevertheless I was not surprised to learn that instead of engineers, the company’s R&D department consists of botanists.
The choice of plants for each site of deployment, equally unsurprisingly, depends on the soil (or sand) and the best suited plants will be found, if not bred.
United States’ border with Mexico has been a longstanding headache for the government – multiple systems consisted of radars, barbed wires or even barrier walls deployed by the authorities were not only expensive (thus not able to scale), but also ineffective.
In Asia, many countries also have long borders, and the complexity of guarding these borders effectively lead to widespread objection of international treaty on banning anti-personnel landmines (Ottawa Treaty). In fact Asia is the only continent where most countries are not members of the Treaty.
Instead of sprinkling sensors (which are not only expensive but also extremely difficult to maintain) or deploying landmines (harmful in all senses), a simple green solution is probably the best way to go. In fact Saudi Arabia, which is not a member of the Ottawa Treaty, has already deployed the plant protection to some parts of its borders.
The biggest challenge for Zimmermann, as one can probably guess, is the governments ban on plant import in many countries. But he is optimistic about that, “the first buyer in a country is almost always the military or the government, the need for effective security supersedes import regulations.”
Later that evening, I had a coffee with Arnaud Chevreul, Commander of the French elite counter-terrorism force GIGN’s logistics unit. He was surprised that this most people here are unaware of this solution, since it has already been deployed in many sites in France and its effectiveness widely recognized in the country.
Zimmermann also revealed that many visitors, fascinated by the technique, all said the same thing: “why haven’t I thought of this?”
View/Add Comments
In the science fiction film Minority Report, identification by iris scan is so prevalent that there is an underground industry offering ex-criminals and others in need the chance of eyeball transplant.
This is not happening yet. Nevertheless, criminals are already (successfully) undermining fingerprint scanning – currently the de facto standard for biometric identification.
A South Korean woman barred from entering Japan fooled the finger reader at the country’s immigration by using tape on her fingers. She was deported in July 2007 but found by the immigration bureau again in the country in August 2008, Japanese news reports say.
As the tape was believed to be supplied by a South Korean broker, many unwanted individuals and ex-offenders might have already entered Japan using that method.
The talks about biometrics are remarkably quieter than three years ago – as people are already implementing solutions. Japan is undoubtedly one of the first to use this technology, but many other countries now allow their residents to pass the borders via ‘e-channels’. You present your passport (biometric or not); the machine will then take your fingerprint (or sometimes iris pattern), match it against the database (centrally stored or on your passport/card) before letting you pass.
I still remember two years ago, when the CIO of Singapore’s immigration authority complained to me that the country’s manual counters were already so efficient that people were reluctant to use a newer option. Now just by looking at the immigration lines at Singapore’s Changi airport, you will know that the automated immigration clearance system has already become part of the travelling life for many residents of the island state.
And it is not only the technologically ‘sophisticated’ countries like Singapore and Japan which have implemented biometrics – a few days ago a friend of mine entered the Mainland China (from Hong Kong) via e-channel, leaving me waiting in the crowded queue at the manual immigration counter, where the officer struggled for minutes to get my name right.
It has to note that for many countries, biometrics is used as a simple measure to expedite immigration clearance for legitimate travellers, usually residents of that particular country. Whilst in the case of Japan (and of the United States as well), it is also intended to keep unwanted people out.
This, however, is a much more difficult enterprise.
Japan’s US$ 44 million biometric system, installed in over 30 airports in 2007, reads the index fingers of visitors and cross-check them with a database of international fugitives and foreigners with deportation records.
The stations, which are located at manual counters, also take a photo of each individual visitor for comparison – the oldest form of biometrics used for identification.
The problem is, the databases, from Japan’s Immigration Bureau as well as the International Criminal Police Organisation, only contain data of the individuals already known to them. If someone on the database alters his/her appearance or fingerprint, chances are he/she will get clearance smoothly.
Vouching system – a method currently being explored in the virtual world whereby an individual already authenticated vets for another individual – doesn’t work very well in this instance. The simple fact is, not everyone visitor has a person willing or able to vouch for him/her.
In fact, a passport itself is a vouching document as it is issued by the government of another country that you choose to (or in very rare instances, choose not to) trust. And this foreign government acts a vouching party. But there is a problem of forged passports.
With a universal database covering the entire humanity seemingly impossible to be realised any time soon (if it is ever to be), fake passports and fingerprints will still have their market.
It is not yet known (to authorities, and perhaps not to criminals) how easy it is to forge a biometric passport, but with many countries yet to put a chip into their citizens’ travel documents, something more needs to be done at the receiving end.
One perhaps realistic solution is to add the number of biometrics in the database – it will not stop identity forgery completely, but will dramatically increase the cost of doing so. It is just as the concept of multi-factor authentication widely used in the information security arena. Of course, use those well developed and less problematic ones such as iris, fingerprint and perhaps hand geometry.
This will, however, inevitably increase the operational costs of immigration authorities as well, and collection of biometrics is never an easy undertaking. Unwanted people will eventually find a way to get around it, leaving the costly equipments and the reputation of the immigration agency in tatters.
A better solution would be providing more training to immigration officers, turning them from manual operators into intelligence professionals. The cost would probably not be as much as the state-of-the-art biometric systems, but the effect could be dramatic. Counter-training that brokers might offer to offenders is extremely difficult, especially as compared to disguising appearances.
Again, it comes back to the notion that security is always an evolving process, good guys and bad guys are always playing catch up against each other. Be attentive, vigilant and professional helps the good ones get the upper hand.
View/Add Comments
There was once a time when people were saying Asian Security Review had great content, but the format was like a newsletter; those days are long gone. People nowadays pick up the magazine, enthralled by the look, before they relish the content.
There was also a period of time when people thought that Asian Security Review’s web site reflects the character of many in security – professional but a little bit conservative, or boring in layman’s terms.
This has become history as well – the new AsianSecurity.org web site is now officially launched.
The idea of revamping our online presence was incepted a while ago, but talking to security professionals, staging events and training kept us really busy.
The web site is not just an online mirror of the magazine, it provides up-to-date physical and information security news from across the region and beyond, carefully categorised into different sections.
And it is more interactive, our editorial team will constantly update the blog space with latest thoughts, commentaries about security developments across the region and afield. You are welcome to comment on the posts and write to any of our journalists should you want your voice to be heard. Critics are especially welcome as only through that we make progress to serve you better.
With the web site comes the e-newsletter, which comes out every week. You can sign up by clicking the ‘subscribe’ link on our home page.
And of course we wouldn’t let the web site take all the glamour – our team at Asian Security Review are working hard to revamp the design and the content of the printed Asian Security Review magazine.
You can also subscribe to the printed version of Asian Security Review via the same link.
And I believe the first issue of 2009, which comes out in early February, will be a pleasant surprise.
Happy (peaceful) New Year!
View/Add Comments
When it comes to surveillance and monitoring, there is much talking about whether the operators are able to effectively detect unusual events and how much intelligent software is able to help them.
How to help? There is a prevalent focus on how software can take over the monitoring and alert the users when it detects something. Though many products have achieved amazing results in some aspects, the whole automation business is still quite buggy.
Wouldn’t it be better to empower the display system to interpret and visually represent all the information that a security professional needs to make a correct and INFORMED judgement?
I recently visited InfoComm Asia, a Hong Kong based trade show on audiovisual technologies. Though majority of the products showcased are about entertainment and sports, there are a few who are dedicated to the readers of this web site.
Jacques Bertrand, Barco’s President for Asia Pacific, told me over the sidelines that the complexity of many control and monitoring operations simply requires a rethinking about the system – how to make them more versatile and sustainable.
He summarised the situation as “you have so many places where you capture the images; you have so many places where you edit the images; and you have so many places where you review them.”
It doesn’t take much effort to argue that for big operations, screen stacks lack two of the most essential qualities to survive the proliferation of cameras – scalability & flexibility.
Therefore sophisticated LCD or rear-projection based displays are gaining their ground in non military monitoring operations, although they don’t attract as much glamour as artificial intelligence does.
And for many operations, it simply makes more sense to integrate video surveillance and other monitoring data, such as geospatial information and sensor measurements, to give the security control room a holistic view of the real-time situation.
So security managers are able to prioritise the display easily based on operational needs, with the visual data comprehensively represented to them upon request. And with the latest technologies such as Microsoft Surface, control of visual data representation will become unprecedentedly easy and intuitive.
Obviously it is not only the display which needs to be scalable and flexible – sound network and data processing capabilities are needed to stream and transmit this huge amount of data from various sources.
The emerging IP surveillance, though far from prevalent (and even not very close to universally understood), is perceived to offer much flexibility to security professionals. As everything becomes part of the network, security managers are now able to view the data they monitor from any place at any time with a fast and secure connection.
And that’s not the most beautiful part of it – the flexibility of collaboration is. Critical security managers can still attend to emergencies while on holidays; metro operators will let the fire brigade view their visual data when a rescue operation is needed; the mayor of the city will be able to make decisions based on visual data shared by multiple agencies.
Or as Bertrand put it: “It’s basically consolidating all the visual data together at one place and share it back by allowing people at other locations to view.”
For small organisations, managed services might be a good way moving forward. Currently the monitoring personnel are largely from contractors anyway and pooling resources also helps with scalability and more, flexibility.
View/Add Comments
