IMG_0138CCWhen the subject is cyber security, you won’t find a more acknowledged authority than Thad Allen.

Allen, executive vice president of the Booz Allen Hamilton management consulting firm and a leader in its Justice and Homeland Security departments’ business interests in the civil market, made a stop in Colorado Springs last week prior to a speaking engagement with the Denver Metro Chamber of Commerce.

The former commandant of the U.S. Coast Guard has expertise in cyber security and crisis mitigation, which includes nearly 40 years of emergency response and rescue.

“Over the last 15 years, I’ve been involved in significant events that have shaped my life and view of how to better understand disasters and deal with complex situations,” he said.

Allen was selected by President Barack Obama in 2010 to serve as the National Incident Commander as part of a unified response to the Deepwater Horizon oil spill in the Gulf of Mexico. There he collaborated efforts among the U.S. Environmental Protection Agency, departments of Defense, Commerce, Health and the Interior, as well as British Petroleum.

Additionally, Allen was designated Principal Federal Official of the government’s response and recovery operations following hurricanes Katrina and Rita. He was also responsible for the Coast Guard’s Atlantic Area forces following the Sept. 11, 2001, attacks.

- Advertisement -

When the Coast Guard entered the Intelligence Community that year, Allen helped his branch implement the cyber intelligence functions utilized today.

During his Colorado visit, Allen discussed with the Business Journal the broadening scope of cyber threats posed by “bad actors” and, leading into wildfire and flood season, the importance of resilient communities during catastrophic times.

Complex problems

Allen has consulted private sector and government entities on how to handle cyber breaches, to include how leadership deals with boards of directors, determining who takes the lead in crisis control as well as managing continuity of operations following a breach.

While identity theft is a common cyber fear, Allen said breaches can create havoc well beyond compromised Social Security numbers.

“Denial of service [is an example], where your connection is overwhelmed and nobody can get through,” he said. “There’s the exfiltration of data for industrial espionage and to get personal information. … There are hacktivists and organizations and individuals who will plant code inside a network that can activate at a later date. It could be a disgruntled employee threatening to do something to the company network. There is not just one cyber threat.”

Allen said, with the increased use of mobile devices, Wi-Fi and the blossoming Internet of Things, where everything from bridges to coffee makers have a network connection, the “attack surface” is constantly expanding.

“If any device is connected to Wi-Fi, the Internet or a network, they’ve created a point of entry that can be exploited,” he said, adding previous hacks have been carried out via smart air conditioning systems.

With readily available technology, Allen said, “hygiene” is one of the most useful preventive steps.

“Changing passwords,” he said. “A good example is replacing passwords, updating antiviral software and firewalls and there are different ways to detect who’s using a computer. Those steps make it hard for someone to replicate and assume your identity.”

Allen said developing technology could one day make behavioral identifiers and biometric passwords mainstream.

“Personal computers will have an understanding of your pattern of life and, if something happens that doesn’t match [that pattern], it won’t open.”

Allen said, however, the cyber world needs concrete regulations mimicking those found in the physical world.

“The Internet has no physical boundaries,” he said. “We live in a metaphorical global commons. There are bad actors out there and people who can operate via third party countries. We … ultimately have to talk about international standards on how the Internet operates. … We need a global governance system if we are going to do this safely.”

Allen said, as a sailor, the Safety of Life at Sea Treaty following the sinking of the Titanic is an example of how a global safety standard changed the nautical world.

“These [laws] stem from catalyzing events. We needed an international treaty system to ensure that, if you’re on ship traveling, you expect a minimum level of safety. We don’t have that on the Internet,” he said. “The challenge is how you transpose things like, what is [a cyber] act of war? What are prohibited activities no one should accept on the Internet?”

Finally, Allen said the biggest hurdle to addressing security risks over time is the shortage of qualified workers within the tech field.

“There is a complex problem involving demand for cyber security experts in the private sector and financial services,” Allen said. “There is also demand the government run better in terms of the security needed in the military and intelligence community too. When talking about national security, you want the best people you can find. The military and government grade structure [limits pay] and they are competing with the private sector. [The government] needs to bid up compensation for them but, right now, there’s not enough to go around for everybody.”

Allen said his firm conducted a study with the Partnership for Public Service focusing on the national cyber workforce shortage as a national problem.

“Nobody in the private sector and government would disagree that we have a shortage coming up and that we need to work collaboratively to create a workforce to meet all these requirements.”

Resilient communities 

Regarding crises, Allen said he sees several factors contributing to the magnitudinal increase in the effects of recent natural disasters, including those impacting the Pikes Peak region.

“Over the past couple hundred years in this country, there’s greater interaction between our natural and built environments,” he said.

“Tornadic activity in the center of Kansas 100 years ago was a lot less likely to cause death and injury than today with its population density and infrastructure now.”

Allen said an understanding of one’s natural environment is the first step toward mitigating disasters.

Secondly, community leaders need to discuss how their communities will interact in times of disaster.

“What you don’t want is for those [first responders] to get together [when the disaster is happening] and talk for the first time.”

Allen added that mitigation begins with each individual.

“If you don’t put a demand on services, you’re someone [first responders] don’t have to worry about. And if needed, you can then help your neighbor,” he said. “If your neighbor, who is then the second responder, approaches this the same way, then there are two of you not putting a demand on services. That type of self-awareness and individual responsibility is what really builds grass roots community resiliency.”

Allen advocates for centralized authority, from the community to the federal level, in dealing with disasters.

“I think it’s well-established in this country that, when we have a large-scale disaster, we need to bring resources in from outside,” he said. “If three fire departments 90 miles apart converge on a disaster, they all need to speak the same language or they won’t be effective.”

Allen said, several decades ago, firefighting entities in the U.S. adopted a National Incident Management System that standardizes practices for those responders — from finance to the front lines. He added that military capabilities should also be available in times of crisis and noted some of those capabilities were used in Colorado during the state’s recent wildfires.

“Military will always be there in support of civilian authorities,” he said. “There are very few times where the military would be in charge of anything in this country. … [The military may have] capacities not existing in the community, but they will always support state and local responders. But the legal authority to lead a response rests with state and local governments. It’s basic constitutional law.”

Allen admitted red tape can hamper government reactions. Due to efforts following Hurricane Katrina, “some large installations have organic capabilities to help in a disaster. [Lawmakers] are working on how to ensure military support and how to go about getting it without going through bureaucratic layers. … The [Department of Defense] is looking at the entire country and there’s an ongoing discussion about how to best utilize those installations adjacent to a community having a problem.”

Allen added that factors including climate change and rapid advances in technology have led to disasters “of greater frequency and greater magnitude, but also greater complexity.

“Complexity is a risk aggravator,” he said. “If the problem gets big enough, then the procedures, policies and how we thought we would address the problem may not be adequate to address the complexity and scale of the situation.”

Allen said developing the necessary agility to address complex events means “setting aside jurisdictional issues and looking at the whole system. We’re seeing more regional entities established, and we’re getting good at organizing and responding. We’re just not so good at seeing the problems ahead of time.”