The lessons learnt from Mumbai Terror Attack

Our collective heads are hanging in shame…
Where was the Crisis Management Group, and, what was it doing all this while? If popular Delhi FM radio station is to be believed, it took precious 9 hours for CMG to assemble and decide about sending NSG team to Mumbai. When it reached there, same source revealed, how they were brought to the venue of their action? No prize for guessing – in BEST buses, no less!

To break the somnambulistic lethargy emanating out of sense of being in power is provably the toughest challenge which Nation faces! Facing the terrorism or hostile nation is consequent and easier!! Leadership changing the dresses and changing the words still spewed same rhetoric! Not only the concerned ministry but the whole country takes the concerned Minister as a liability. ‘Address to the Nation’ with Zombie like glazed looks and monotone - devoid of feelings and emotions can not instill the trust and confidence of the citizens in the national leadership.

Where are the tough anti-terror laws they have been talking about? Where are the tough actions promised time and again?? When police from one Indian state can not enter other state on hot-pursuit then how doctrine of hot pursuit can be practiced when terrorists come from Pakistan and run back to it? Our leaders shy away even naming Pakistan as country behind terrorists activities and on sly name it as ‘neighboring country’ when actually they should name it as Pakistan. Terrorism can not be eliminated by tough talks; it can be eliminated only by tough actions. Taking decision is the most difficulty part; actions are easier for politicians and police forces respectively.


How one redeems his name, ask Hemant Karkare who led from front and sacrificed his life? Till few days back his name was being maligned and now he is a martyr! The political appointment – Director General of Maharashtra Police chose to issue statements from the comforts of his office using brave words when other Director General – in this case – of National Security Guards was in battle fatigue and supervised the whole operation rushing from place to place wherever his guidance was needed. He did not forget to introduce his team of officer involved in operation when he addressed the media. But when a local congress leader faced the camera, not only his followers chanted slogans in his favor as if he was addressing election rally, he himself made it a point to credit his leadership for planning to formulate ‘tough anti-terror law’. Hollow words, all these!

Security personnel and law enforcing agencies are routinely rubbished for being utterly unprofessional, criminally lethargic, poor in intelligence and shabby in action! There have been routinely departmental cases and guilty are punished. What about punishing the leadership? To whom they are answerable?

Some terrorist apprehended will be put through the long drawn legal battle. They might not get punishment, and, even when that happens there is no guarantee that the Government will not dither? Has Afzal been hanged so far? The family members of security personnel who laid down their lives defending the Parliament are still waiting the final decision on Afzal. The Top Executive of the country takes ages deciding on a ‘non-issue’ related to a dreaded terrorist but is always ‘pleased’ to punish some ‘Babu’ coming late to the office!

Those talking bravely about removing ‘North Indians’ from their Land had lapsed in tongue tormenting paralysis and are yet to speak even a single word condemning the terrorist attacks and about their plans to remove the terrorists from their Land.

There were already two ‘Senas” in Mumbai specially trained to bully and tormenting the innocents and vandalizing the public and private property. Surely these ‘Senas” could have handled the ‘terror situation’ in Mumbai without the help of ‘outsiders’ for this would otherwise sully the ‘Asmita’ (self dignity) of ‘Marathi Manoos’! Why was it not done remains a mystery! In fact other mystery is what were the ‘Senapatis’ doing at the time of crisis if not hiding in some bunkers?

When India demands America to declare Pakistan as ‘Rogue Nation’ or ‘Terrorist Nation’ it becomes laughing stock as it is same India which has accorded Pakistan the status of ‘Most Favored Nation’. We don’t have to present so called clinching evidences to USA for Pakistan’s involvement in terrorism in India. If we are so convinced about them, what stops us taking drastic actions? Super Power a country doesn’t become by pretensions, one only becomes by tough actions. Time for tough action is now, if there ever was any!

Our collective heads are hanging in shame for the way country’s leadership so irresponsibly and callously handled the situation in Mumbai! Those who know little Greek mythology will understand that cutting the snakes was never a solution as solution was cutting the head of Medusa! We can eliminate terrorism only by eliminating its breeding and feeding ground which is Pakistan.

Lessons learnnt from Mumbai terror Attacks...,

There are few lessons learnt from the whole 60 hours long operation which ended with more then 195 casualties and more then 280 injured –

Be ever ready!

It pays to be ‘battle ready’ as ‘shahadat’ of Karkare, Kamte and Saluskar has proved. If one is in security duty, do not forget to secure self! No need to be over protective to the verge of being coward, but ensure that reasonable precautions are taken! Dead heroes are history whereas living ones are the national assets.

Remain in control of the situation…

Do not let the situation control you! NSG has proved it more eloquently. Soon after they took charge, not even for a minute it appeared to those watching the whole scene in front of TVs that they were loosing control. They never appeared to be hassled and at receiving end and throughout the operation maintained high level of professionalism. One of the cherubic NSG Commando when asked what was toughest part of operation, nonchalantly commented that “nothing is difficult or tough for them!”

Think out-of-the box!

The terrorists’ strategies can not be taught in the class room from training books. The conventional tactics and strategies are for the conventional warfare for conventional armed forces. Terrorists use almost every time the most audacious and impractical approach for that reasons alone! The security forces need to think out-of-the box! The water-front was not used by the terrorist as approach route so far. But it never was a guarantee for no future use by them. When they did use it, no one was prepared. We have to start thinking the ‘impossible’ as surely someone is capable to convert it into ‘possible’.

Security Force! No hurry, take time! But be timely!!

It takes time to acclimatize with the ground. No security force or commando operation can be undertaken without proper planning involving the reconnaissance of the area to have ‘feel of the ground’. Only fools rush-in! The deliberate and prudent planning takes time as failure endangers precious lives and no ready made ‘one-size-fits-all’ solution can be applied to all the situations. However once the course of action has been decided the entire operation must be conducted with time and precision.

Power of taking Decisions

The Political Leadership takes time to decide, in fact their specialization is in delaying the decision taking and therefore expecting quick or timely decision is asking for too much. It is time that the onus of taking the decision is divested from the politicians and invested to the head of “Anti-Terrorist Federal Agency”, which needs to be created sooner.

NSG Deployment.

If presently National Security Guard (NSG) is expected to handle terrorist strike, hostage situation etc. then why must it remain located in Delhi? If NSG is expected to react to any situation occurring in any part of India, then it must be strategically located in various well connected cities preferably the metropolises. By the time the NSG team reaches the site of their operation, the least local police can do is to barricade the area, ensure smooth traffic movement for ambulance and vehicles of security forces.

Reliable & Timely Communication

Communication through Ham Radios, ‘blogging’ and ‘twittering’ can be very important for common citizens as networks are known to jam in such situations. Keeping the citizens informed is very important in such situations as rumor-mongering will not only demoralize them but may cause another law-and-order problem which law enforcing agencies can ill afford at the time.

Don’t be naïve, we are the terrorists!

Very naively one of the leading English daily describes a typical ‘fidayeen’ as “armed with an assault AK-47 rifle, a 9 mm pistol and several Chinese made hand grenades, with spare bullet magazines in his pouches an knapsack, apart from dry fruits and other eatables to sustain ..” This caricature of fidayeen terrorist is far from truth. The terrorists are not like soldiers of conventional armed forces that they will be always in ‘battle order’ when in battle. They have in past and will be in future too ‘dressed for the occasions’! the terrorists will dress as per the time and location related to their action and will be equipped as per the need and as per the Just because terrorists this time were equipped and accoutered like this doesn’t mean they will be similarly seen in future also. Most likely they will be looking different for the reasons that their appearance of similar type will draw attention in future.

Media! Please don’t mess-up with security personnel!

The media people have to realize that even when they have important duty to perform, their duty is still not more important then that of security forces. In their eagerness of ‘me-first’ they sometimes enter the area where they have no business to be in. There presence in such situation not only hinders the activities of the security personnel, they also become the liabilities of those security personnel who were risking their own lives to save others. The foolhardiness of one such correspondent surely must not have missed the attention of TV viewers when some correspondent was shown telling with bravado of having gone to the area where from he was rescued by the NSG commandos!

Media Ethics, what is that?

The TV channels are known to have gone overboard in such situation in past and this time was also no exception. It was not appreciated by the TV channel while live telecasting the talk with the terrorist that it was almost verging at “offering a platform to espouse their cause”. A fact was overlooked by the channel that a ‘legitimate reporting duty’ of the channel may jeopardize the innocent lives, create law-and-order situation or incite some part of the society for more violence.

Credibility of Media News: Mom no homework!

Common people must understand the most of the media people are ‘generalist’ journalist and being in young as most of them are, are not suppose to know all, even when they pretend otherwise. Their reporting may not be factually accurate or they might not have recourse to cross check the veracity of the facts when reporting live. In one case Kamte was referred as ACP and Additional CP in same breath! In other case NSG Havaldar was referred as senior officer! In both the cases the reporters had shown their very poor knowledge of rank structure of police and armed forces. Understand the affect on the police force of the news of death of Additional Commissioner of Police Addl. CP) when actually Assistant Commissioner of Police (ACP) died. Similarly people will tend to agree more with the news when it is reported that sources of the information is very senior army officer were as it was actually a havaldar! So, morale is that take the media reporting with pinch of salt. They are known to be wrong some times.

*****

IISSM GOA 2008

On the eve of annual seminar of IISSM held at Goa, meeting of Board of Governors of IISSM was held on 12th November 2008. Following office bearers were present -

1. Mr. K P Medhekar, IPS (Retd.) - Chairman
2. Mr. R Swaminathan, IPS (Retd) - President & Director General
3. Capt. S B Tyagi (Retd.), FISM, CPP - First Vice President
4. Maj. P Kalastree (Retd.) - Vice Chairman - Pacific Region
5. Prof. Kris Pillai, FISM - Vice Chairman - Africa
6. Col. Stanlay J Grogan (Retd.), CPP - Vice Chairman - US, Canada & West Indies
7. Mr. G S D'souza - Provider Represntative
8. Mr. Uday Singh - Foundation Representative
9. Mr. BG Deopujari - Sapcial Invitee
10. Mr. D C Nath, IPS (Retd.) - Executive President & CEO
11. Lt..Gen. Prem Sagar (Retd.) - Executive Presedent (M&F)

The meeting was held at the International Cullinary & Catering Acadamy (ICCA) having acredition with world renowned Swiss Catering Institute, started by young entrepreneur Mr. GS D’souza who is also the moving force of Goa Chapter of IISSM, the co-host of the annual seminar. The meeting was followed by cocktail - dinner for which ladies also joined-in later.

The annual seminar begun from 13-15 November at Hotel Cidade de Goa and was inaugurated by His Exellency, The Governor of Goa.

Few glimpses of the seminar are given below -

Lost Laptops : Lost Data

Laptop computers are essential for organizations to make sure their employees have access to information they need wherever they are working…at home, in a meeting, or on the road. A lost laptop creates a two-dimensional problem. First, the laptop itself must be recovered or replaced. Second, and even more unsettling, is the prospect that critical information on the company, its plans, and its customers could have been lost as well.

This article looks at both types of losses, from a statistical and cost point of view. It also examines the internal and external factors that contribute to laptop theft. Who steals laptops? What motivates their actions? Why are companies targeted repeatedly?

Based on an extensive review of published research, the report explores the scope of the problem. A range of detailed solutions is offered. In a sample of worldwide jurisdictions, current legislative efforts impose new sanctions. Several product innovations may help to prevent thefts. Disrupting the ways thieves can unload their bounty is another deterrent. The appendices include exhaustive lists of physical, electronic, and procedural security enhancement, so organizations have specific ways to discourage or prevent thefts. The report encourages companies to set goals to counter laptop theft and then implement those goals through situational prevention techniques and the seven steps of loss prevention. Additional research could aid in preventing the theft of laptops and the data that resides on them. The report concludes with suggestions for further exploration by academic and corporate investigators. Laptop computers are essential tools in today’s global economy. Employees at all levels, in all business sectors, must be mobile. They must have access to information whether they are at home, on a sales call, or in a hotel.

Because laptops are portable, they are highly susceptible to theft. The theft of business laptops and the loss of the confidential and propriety information residing on them can occur when the user is in the office or on the road. Researchers have determined that 25% of laptops are stolen from the office or the owner’s car. Another 14% are lost in airports or on airplanes.

Laptop theft is a two-dimensional problem. On the surface, companies must devise ways to secure the actual devices from crafty thieves with easy access to pawnshops and fences. Even more sinister, the data on a stolen laptop has enormous value among the illicit networks that prey on unsuspecting consumers, or reap rewards from insider information. In their attempts to stay competitive in the world marketplace, companies cannot afford to overlook the seemingly insignificant loss of a laptop. Details on the scope of the problem, the high price of ignorance, and the determined thieves looking for loopholes will convince even the most ardent skeptic to take the actions recommended in this report.

Stolen laptops

The chance that a laptop will be stolen or lost during any twelve months is one in ten, according to a 2002 Gartner Group study. Estimates among industry analysts confirm the frequency with which laptops disappear. A 2004 InfoWorld article, for example, estimated that the annual number of stolen laptops ranges from 700,000 to 1 million. That same year, an Entrepreneur Magazine article used an FBI estimate to report that 1.5 million laptops had been stolen in 2004, a 50% increase from the year before. Both public and private sector organizations are at risk worldwide. In a 2006 report, the Committee on Government Reform noted that in the previous five years 1,137 U.S. Department of Commerce laptops had been lost, stolen, or reported missing. A 2006 Australian Computer Emergency Response Team survey of 17 industries found that 58% of the 389 respondents detected laptop thefts during the year of the survey. Between 2005 and 2007, 4,700 laptops were stolen from offices in Calgary, Canada, according to a 2007 survey by the Calgary Public Safety Committee of the Building Owners and Managers Association (BOMA). Medical, financial, oil and gas, legal, engineering, transportation, personnel, and property management industries were included in the study. Appendix A is a checklist that can be used to track a company’s laptop inventory and monitor how the laptops are being used.

Stolen confidential information

Statistics that measure the loss of business and personal information residing on laptops are even more alarming. A 2006 Ponemon Institute survey found that 81% of the U.S. companies studied reported the loss of one or more laptops containing sensitive information in a twelve-month period. The computer security Web site, www.attrition.org, includes an extensive list of laptop and data thefts. In early 2008, the site reported more than 900 data breaches yielding 310 million records.

Lost productivity

Productivity is the first victim of a stolen laptop. Should an employee lose his or her laptop, that employee’s ability to work is compromised, often for days. At one company, for example, eight laptops used by key employees were stolen, including those in the firm’s finance and engineering departments. It took three days for replacement units and back-up data discs to be found before the business could resume operations.

Recreating data

Depending on a company’s data back-up practices and its use of a central server for data storage, data may be replaced in a few minutes—or be lost forever. In developing adequate data replacement and recreation strategies, company executives must resolve many questions, such as what procedures must be developed to ensure that important data is secured, as well as how quickly it can be replaced or retrieved, and at what cost.

Lost business

When customers learn of a data breach, their faith in the company incurring the loss can be shaken. They may shift their business to competitors. According to the 2007 Ponemon survey, data breaches exposing customer data can cost a company $128 in lost business, per victim. In a similar Ponemon study conducted in 2005, researchers found data breaches seriously affected corporate reputation, corporate brand, and customer retention. When notified of a breach, almost 20% of customers terminated their relationship with the company. Another 40% considered termination.

Internal Factors Contributing to Stolen Laptops and Lost Data

Why are laptops easy targets for gaining access to data? The answer involves a combination of misperceptions on the part of the company and the users of the laptops. Some companies simply fail to maintain an adequate inventory of their laptops, while others completely refuse to invest in appropriate security policies and procedures. Users often fail to understand the value—not only of the units themselves—but also of the information they contain. Consequently, they can resist applying appropriate security policies and procedures when they are enacted.

Accountability

A 2004 survey by Ernst & Young found that few organizations and individuals feel they should be held accountable for failing to protect laptops and data. In many organizations, when a laptop is stolen, the affected employee simply acquires another from inventory. Even some security practitioners hesitate to emphasize laptop theft. One corporate security professional admitted that he had more global issues to confront than

Inadequate security

When finally caught, one Calgary laptop thief responsible for hundreds of thefts over several years admitted to the arresting officers, “companies made it too easy for these types of crimes to be committed, because of the lack of appropriate security measures.” Even when adequate security measures are in place, they are often ignored for two reasons: the security staff is not available, not credible, or unable to sell the value of protective strategies; or employees are uninterested or have been poorly trained.

Perception

The relatively low price of laptops can suggest that they do not merit protection. Even though many organizations spend thousands of dollars on individual laptops, they are often viewed as a minor part of a departmental or organizational budget. Organizations that embrace this thinking fail to understand the true cost of a laptop, or the value of the data residing on it. Even privacy legislation assigns a value to data by assessing fines for losing it.

External Factors Contributing to Stolen Laptops and Lost Data

Even a well-designed security program must be tweaked constantly to keep ahead of external factors that are determined to uncover its weaknesses. The market for a company’s proprietary information and personal data on customers and clients is lucrative. Determined thieves are more than willing to take the risks to reap the rewards. Once thieves have been successful at one property, research shows that they are likely to return.

Determined thieves

According to the 2003 BSI Computer Theft Survey, 99% of survey respondents who experienced computer theft reported that the thief was never caught. Some thieves are simply opportunistic and take advantage of situations to steal laptops. In interviews conducted for the 2007 BOMA survey, one thief admitted that he made between $500 and $600 per unit, and had stolen as many as fifteen laptops at a time. At the other end of the spectrum, thieves admitted they sold laptops for as little as $40 of crack cocaine. Thieves intent on stealing laptops will put tremendous effort into overcoming significant security measures. They will conduct security assessments to look for weak entry points. They will bring props, such as maintenance, janitorial, or security uniforms, so they appear to fit in. They will make phony identification badges, develop cover stories, and communicate with partners using cell phones and radios. One offender indicated that he would conduct research on the latest equipment and develop “want lists” before orchestrating a hit. Organizations are vulnerable to laptop thefts from both outsiders and employees. Research is contradictory about which poses a greater threat. But there is no doubt that those inside organizations are also stealing laptops. Authors Clarke and Eck posit that laptops are “CRAVED” by thieves. The acronym explains why.

Concealable: Because they are small, laptops are easy to hide beneath a jacket, layer between other items, place in a backpack, or put in a gym bag. Removable: The portability of the device is partially what makes the laptop desirable to both companies and individuals.
Available: Many individuals and companies use laptops extensively. As a result, considerable numbers are available to be stolen.
Valuable: Many people are willing to pay large enough sums of money for stolen
laptops. Thieves tapping into this lucrative market are willing to go to extremes to satisfy the demand.
Enjoyable: As computers become more essential for both business and pleasure, the demand continues to grow.
Disposable: An illegal market is readily available, allowing thieves to dispose of laptops easily.

Managing the Threat

Ultimately, preventing laptop thefts and the resulting data loss requires a permanent solution. Countering the threat requires company management to commit to a course of action prescribed by basic security principles. These principles are used by corporations of all types, in all corners of the world, to prevent and deter myriad risks to a company’s well-being. Bringing these same principles to bear on this specific crime can reduce the threat from both internal and external sources. Implementing these principles requires a review of the many resources and options available, including: physical, electronic, and procedural security enhancements; legislation; and product design. In conjunction with law enforcement, preventive measures should also disrupt the market for the stolen goods.

Physical, electronic, and procedural security enhancements

A comprehensive and converged physical, procedural, and information security program is essential for every organization, regardless of size, industry, or ownership. And part of that program must address laptop security and the related loss of potentially sensitive data. Implementing the appropriate security measures requires money, time, and effort. Companies must be committed to supplying all three. Management must realize that a lack of funding is a serious impediment to a comprehensive protection program. Many companies have implemented successful strategies. But research shows that companies that have failed to do so lack a comprehensive, layered approach to security that takes into account physical, electronic, and procedural measures. Also, these measures must be embraced by all employees, including laptop users, management, and security professionals from both physical and electronic disciplines.

Seven steps to prevent loss

These two goals can be achieved by adopting the situational prevention techniques. They can be implemented by adopting the following seven steps:

Step 1: Conduct an audit to determine where laptops are used within the organization. This audit determines specific information about a company’s laptops, such as where they are being used in the organization, how many are in the inventory, which is using them, for what purpose, and what type of data is residing on each one.

Step 2: Determine whether specific employees need a laptop to do their jobs. If a laptop is not required, it should be replaced with a desktop unit. If the laptop is an essential part of the employee’s work, the next steps should be pursued.

Step 3: Classify data on the laptop according to organizational guidelines. The classification scheme should be specific to the organization and its culture. A number of classification models are available. The one selected should be clearly understood, implemented, and followed by all employees. The example of Sample Identification and Classification of Data can help categorize the relative value of “Public Documents,” “Proprietary Information,” or “Highly Confidential Information.” The latter group includes human resources, financial, security, and organizational plans and strategies, as well as test results, assessments, surveys, or other information the organization has spent money collecting or developing.

Step 4: Determine if data residing on each laptop is necessary for employees to complete their jobs. If not, the data should be removed. If the data is necessary, the next step should be pursued.

Step 5: Conduct a risk assessment to determine possible theft scenarios for the data stored, processed, or transmitted by laptop. Devise appropriate security measures to protect both the data and the laptop. The assessment puts the required physical, procedural, and electronic security measures into perspective, as well as the necessary security awareness training. Obviously, the higher the classification of the data, the more security measures should be in place. A number of risk assessment methodologies are available. In addition, ASIS International has published a General Security Risk Assessment Guideline, available to download for free at http://www.asisonline.org/.

Step 6: Implement the required protection strategies. Protective strategies start with security awareness programs; employees must understand their obligation to use the security measures required to protect laptops and data. Employees should be required to indicate, in writing, that they understand the established laptop and data protection guidelines. Department managers and senior managers should show their support for the policy by signing similar forms. Both facility and IT security personnel have special responsibilities for implementing the policy, and should indicate their willingness to assist on the appropriate forms.

Step 7: Create a loss response team to monitor laptops and data. Should a loss occur, the affected employees should be required to report the loss in writing. The team then responds to the report by investigating the losses and determining the scope of the data breach. In addition, the team should be regularly educating users, conducting audits to ensure compliance, annually assessing data needs, and destroying or removing data when it is no longer required. This process is cyclical, since new laptops and data enter and leave the organization on a regular basis.