In our 16 May 2017 blog post, we addressed the WannaCry outbreak and how the cyber-incident highlighted the ineffectiveness of the current National Terrorism Advisory System (NTAS). In that, we stated that we’d deliver a follow-up post to suggest one way that the broad NTAS process might be refined. This post is intended to continue that discussion. Below, we suggest some of the criteria a refined threat advisory system should include and some of the ways such a system should function.
Key Points: The current NTAS is ineffective and needs to be replaced with a system that is more effective. That system should be clear, have meaning, be flexible, be predictable, be repeatable, and threats and advisories should be time constrained. The new system needs to address all hazards – not be limited to terrorism, but rather the broad array of threats that can impact the United States. The system should have a means to regularly redefine steady-state, or “normal,” and include color-coded threat levels for physical and cyber security.
Our team members at Gate 15 are certainly not the only ones concerned about the inadequacy of NTAS in the US; over the years, others have noted improvements in NTAS over its predecessor, but have also called for its refinement. This article, from 2012, is a good example of the logical arguments for how the old Homeland Security Advisory System (HSAS) could have been improved under NTAS and how the US government could enhance its communications with the public on terrorist and other threats. Likewise, some of our partners, who have been more impacted by the rash of recent Islamic State-related terrorist activity, are asking questions about their advisory systems. Note these perspectives from Britain, Ireland, and Australia. There is no question that NTAS counterparts throughout the world suffer from some of the same inadequacies.
No system will be perfect, but NTAS has failed to deliver as an effective means to communicate threats and, by its name alone, is too limited in scope to communicate the array of threats we have to contend with, such as the increasing concerns regarding the potential of blended attacks – deliberate, aggressive action that causes harm to both cyber and physical systems. There may be sensible times to increase threat awareness on cyber or health issues, for example, which are not adequately within the scope of NTAS. Terrorism and cyberattacks are realities that are not going away in the near-future and threats such as and global pandemics or natural disasters and potential cascading impacts are real threats we need to be prepared for and be able to effectively speak to.
As such, a threat advisory system should:
- Be Clear;
- Have Meaning;
- Be Flexible;
- Be Predictable & Repeatable;
- Be Time Constrained, and;
- Should be able to be used across the spectrum of threats.
Be Clear: the system needs to be clear and understandable. As alluded to in the 16 May post, most people likely don’t know the difference between “guarded” and “elevated” in terms of how likely a terrorist attack is. Even the short descriptions of what they mean in the NTAS system is ambiguous and open to significant interpretation. We are already suffering from “terrorism threat fatigue” (also known as “terror fatigue” and “vigilance fatigue”), which is characterized by feelings of exhaustion, desperation, and/or apathy in relation to reports of terrorist activity. When people don’t understand why something is important or relevant, we tune it out. It becomes white noise. People ignore white noise when things are calm, as well as when things are chaotic, such as in the aftermath of an attack. The last thing we need is for our advisory system to be processed as white noise by the people it is meant to help.
Have Meaning: the system needs to have meaning and be useful. This entails being based on logic that most people can follow. You shouldn’t have to be an intelligence or security expert to understand the rationale of the system nor a given “level” or alert. It should be structured in such a way that most people can understand what it means for them and why they should take the recommended actions. And yes, there should be recommended actions attached to any advisory system. An ideal system would provide useful information and guidance. Its purpose would be widely-understood, and it would be treated as a respected national standard on which people at the state, local, private sector, community, and individual levels could base their decisions for their specific areas of concern.
Be Flexible: the system should not be so constrained that it cannot adjust to new threat realities and “new normals.” Any system that is going to provide alerts on increased threats or risks must assume some sort of baseline, or a standard that is considered “normal.” Part of the challenge with the old HSAS was what seemed like a perennial state of “elevated” and “high” levels. If those are the steady-state, then are they really elevated? Under NTAS, the threat environment has changed but NTAS has never been used. Periodic NTAS Bulletins “provide broader or more general information about terrorism trends, events, and potential threats in those situations where additional precautions may be warranted, but where the circumstances do not indicate a threat against the United States of sufficient credibility, or specificity and credibility, to issue an Alert. The NTAS Bulletin will summarize the issue and why it is important for public awareness; outline U.S. Government counterterrorism efforts; and offer recommendations to the public on how it can contribute to the overall counterterrorism effort.” But these Bulletins, whether they successfully meet the intent above or not, don’t address non-terrorism concerns and don’t provide useful guidance to industry. NTAS has anchored in the sand while the waves of threats have been shifting the landscape, sometimes slowly, sometimes aggressively. A rigid system doesn’t work; a new system should build in flexibility to be able to adapt to a changing environment and “new normal.”
Be Predictable & Repeatable: the system should follow a clear process that can be anticipated, understood, and repeated. This establishes expectations and allows others to work off that national system to inform and develop their own processes, plans, and responses to threats and government-assessed changes to the threat environment. If we are under an “elevated threat,” that should trigger some (voluntary) action – maybe just pausing to assess relevant impacts, or reviewing procedures, or maybe it triggers more robust actions like increased staffing, enhanced security measures, or other physical or network hardening or action.
Be Time-Constrained: perpetual caution is ineffective. As HSAS got stuck in higher levels, NTAS has gotten stuck in a continuous state. DHS states, “NTAS Bulletins will establish mechanisms and set timelines to regularly re-evaluate the threat or risk identified in the Bulletin,” but Bulletins are released to pick up where the previous one sunsets so they are updated, but perceived threats don’t end. That isn’t necessarily a terrible thing, if it was how the system was intended, and it sort of gets to the idea of being flexible. However, are we to really accept there have been no times since NTAS was implemented that there hasn’t been a higher level of threat? I know many involved in physical and cyber security that would argue they’ve spent too many weekends responding to threats and incidents to validate any such suggestion. Take the May WannaCry attacks, which demonstrate an immediate NTAS fail because NTAS isn’t designed to speak to cybersecurity. In the initial awareness that something bigger than a local incident in Spain or at the UK’s NHS was taking place, security personnel dove in to understand what seemed like a potentially global threat with the ability to impact systems, to include critical infrastructure, and to result in a blended attack. It would have been an opportune time to launch a threat advisory for a specific period – maybe 48 hours – to encourage threat awareness, a security response, and a reasonable amount of time to assess the threat and reassess the necessity of an alert.
The system needs to work for all (or at least most) threats: While we know different threats require distinct types of responses, it would be ideal to have an advisory system that worked across the spectrum, from health pandemics to cyberattacks. After all, the system is essentially about informing and advising. It doesn’t have to be specific to the type of incident that has occurred or is expected to occur. At its best, the system would provide relevant information and point people to appropriate actions or resources to protect themselves, as appropriate. As mentioned above, some incidents may require people to be extra vigilant for a specified period of time, while others don’t.
There are likely many viable alternatives to the current system. In addition to meeting the criteria noted above, we recommend a new system include the following:
- Periodic Threat Assessment and Physical and Cyber Threat Levels. A periodic – probably best quarterly – assessment of threats and relevant risk articulated in a Threat Statement with corresponding physical and cyber threat levels. Except during extenuating circumstances and remarkable threats, the refined assessment detailed in the Threat Statement should almost always re-establish the baseline of normal and be associated with a color-coded threat level. While many grew tired of the old HSAS threat rainbow, clear color-coding helps articulate changes and severity in a way that is relatively easily understood, so long as it is not misused.
- Specific Caveats. With the Threat Statement and the “new normal” it consistently establishes, caveats for emerging threats may be presented and articulated as long as they are specific, time-constrained, and include associated actions / recommendations. These may be released in relation to a specific type of threat, a region, a sector of critical infrastructure, or some other specific manner.
- Monthly Refinement. Monthly, a statement should be released either confirming no change to the Threat Statement and threat levels or providing specific updates.
- Caveats and updates should either trigger pre-designated actions or include specific recommendations, which may or may not be publicly released. Those should include a specific sunset date (not to extend beyond the next monthly periodic review). If the threat is persistent, it should be captured as part of the new normal baseline and incorporated into the next Threat Statement or update re-establishing “normal.”
We hope that as the new Administration and new DHS Secretary settle in, the Department and private and public-sector homeland security stakeholders can have an effective discussion to refine the threat advisory process. We hope this blog provides some useful ideas towards such an update.
This blog was coauthored by Jorhena Thomas and Andy Jabbour.
Jorhena is a Senior Risk Consultant with Gate 15, and focuses on information sharing and creative partnerships in the homeland security space.
Andy is Gate 15’s Co-Founder and Managing Director. Andy leads Gate 15’s risk management and critical infrastructure operations with focus on Information Sharing, Threat Analysis, Operational Support & Preparedness Activities (Planning, Training & Exercise). Andy has years of experience working with partners across the critical infrastructure and homeland security enterprise to support national security and client business needs.