By Rachel Briggs.
This article appeared in Security Monitor, the journal published by the Homeland Security and Resilience Programme at RUSI.
The Unlikely Counter-Terrorists
Counter-terrorism is currently the preserve of the state. Traditionally the main target for terrorists, the government and its agencies lead the UK's fight against terrorism. However, as the threat, most notably that posed by Al Qaida, becomes more diffuse and increasingly determined, business is more likely than ever before to be targeted.
This is now received wisdom. More rarely explored is the role that companies could play in minimizing the impact of terrorism - ensuring that terrorists, if they penetrate our security net, do not succeed in inflicting massive human and economic casualties. The cinematic scale of September 11th has led to a sense that homeland security cannot defeat a determined terrorist threat – if thousands can be murdered in downtown Manhattan, it can happen anywhere. What use are the old precautions – bomb-proof curtains or fire alarms – if we face flying bombs or, worse, biological and chemical weapons? This is to ignore the real, practical lessons of September 11th. The death toll might have been far worse if the Twin Towers hadn't practiced evacuation procedures after the unsuccessful bomb attack to bring the towers down in 1993. And those companies with contingency plans – new accommodation from which to resume operations almost immediately after an attack and insurance against losses – were far more likely to weather the storm in the short- to medium-term. Though business can never predict terrorist attacks or even stop them from succeeding, evidence shows that it can limit their impact. Therefore the UK requires a new breed of counter-terrorist – based not in Sandhurst or Scotland Yard but in the City of London.
The Case for Business Involvement in Counter-Terrorism
The case for business involvement in counter-terrorist activities in the UK is a combination of self-interest and social responsibility. The corporate world is an increasingly important target for Al Qaida. Intelligence shows the group has been linked to plots against a number of companies, including US companies in Singapore and Microsoft. Targeting companies not only achieves economic disruption, it also creates fear and panic among the population at large. Some companies are more attractive targets than others, most notably those companies comprising the UK's so-called critical infrastructure, such as water and energy suppliers, transport and telecommunications networks and financial institutions. In 2000, the scale and speed of disruption caused by the fuel crisis illustrated vulnerabilities within and between these infrastructures – but the damage caused by peaceful blockades would be dwarfed by the impact of a determined and ruthless terrorist network. Even where the business community is not directly targeted, companies may suffer collateral damage from an attack on government, military, cultural or religious buildings, especially given the scale of impact sought by Al Qaida.
Companies have a responsibility to their staff, shareholders, investors, suppliers and neighbours to take their risks seriously and do everything they can to tackle the threat head-on. Responsible and vigorous action by companies against the threat from IRA/RIRA did much to reduce the impact of those attacks and, arguable, to make the City of London a much harder target.
Companies as Counter-Terrorists
Many companies, though, are shirking their responsibilities to tackle terrorism. In a recent survey of 5000 companies, just 45 per cent had business continuity or consequence management plans in place. Some companies may wrongly assume that the scale of the threat is so large that it can't be managed. Other may assume the policies they already have in place will be able to cope with new and emerging threats. In fact, adopting these policies against some of the new threats could at best prove ineffective, and at worst actually worsen the impact. Ultimately, there is little pressure exerted on companies that choose not to act. There are no agreed standards of best practice, and this makes it difficult for a company's stakeholders – its staff, shareholders, suppliers, neighbours, and so forth – to question the policies it adopts.
It can take up to two years, though, to implement risk management into business operations, and maintaining the momentum over this period – particularly if there is not an attack or there are long periods between them – requires buy-in from the board. Often easier said than done.
While there is little companies can do to detect or interdict planned attacks – that is indeed still the role of the state – they can prepare contingency and crisis management plans to ensure their response reduces rather than exacerbates the impact of a successful attack. Here, preparation is key. 'Thinking the unthinkable' has been a much-used phrase since September 11th; companies must not just be prepared for the last attack, they must anticipate what's coming next. Companies must run regular scenario sessions, preferably in collaboration with the government, and should have a trained and permanent crisis management in place to take ownership of this work. These plans must then be revisited on a regular basis.
Many companies wrongly believe that the plans they developed to counter the threat from IRA/RIRA will protect them from possible attack from Al Qaida. However, the nature and scale of these attacks would render many policies at best ineffective and at worst worsen the impact. Companies must prepare for losses and damage on a much larger scale than they have ever faced before. It is highly unlikely they will receive a warning, and there is evidence that Al Qaida has tried to obtain weapons of mass destruction. As John Smith remarks in The Unlikely Counter-Terrorists, "It is now prudent to consider and plan for damage on the geographic and time scales of Chernobyl, Bhopal or Toulouse. A police cordon for 3-4 days some 400 metres around the site of a conventional vehicle bomb explosion may be a thing of the past. Successful chemical, biological or radiological attacks may deny access to large segments of cities for significant periods." The possibility of large-scale loss of life requires companies to take succession planning seriously. Loss of the entire Board is a risk that should be planned for, and companies must have succession plans in place for this possibility. The so-called 'golden hour' after an attack is now more important than ever before; a company's response in the minutes after an attack will determine whether or not they survive.
Companies must also revise their relocation plans. Many establish alternative offices where they can relocate operations in the event of an attack – so-called 'hot' and 'warm' sites. These tend to be near enough to the original office to limit the amount of disruption to staff and operations. In the event of a large-scale attack, though, access to such 'hot' sites may also be denied, as was the case with some companies in the World Trade Center.
Even with the best crisis management plans in place, a successful response depends on the willingness of the workforce to follow instructions. For example, in the event of a chemical or biological attack, workers may be safest remaining inside the building. But with the images of the Twin Towers firmly etched in their minds, some may choose to vote with their feet and leave the building. Not only would this put the individual at risk, it would also increase the movement of air, thus spreading the substance yet further. In his recent article in Security Monitor, Garth Whitty makes a series of sensible and relevant recommendations.
The Role for the Government
Of course, the role for the government is still as important as ever. It has a responsibility to provide a framework within which companies can carry out their counter-terrorist responsibilities in order to create the momentum needed to maintain this important work into the long-term. While the foundations for this framework have been set, there is much more work to be done.
If the government is to embrace the concept of business as counter-terrorists it must not let companies face the threat blindfolded. Corporate security managers currently only have access to relatively low-level intelligence, which undoubtedly impacts on their work. While some, through personal contacts, may have access to more, the government must address this deficiency and ensure that access to intelligence is deepened and widened and delivered in a more systematic way. Of course, there would continue to be sensitivities around certain types of
intelligence and it would need to balance often-opposing concerns. But ultimately, the government has a responsibility to make information sharing work. Towards this end, Dr Sally Leivesley has suggested it establish a one-stop shop link for companies within government and the creation of a link between the Cabinet Office and industry leaders to share information and intelligence. John Smith has recommended it also up-date the well-respected Home Office pamphlet, Bombs: Protecting People and Property to include information about chemical, biological, radiological and nuclear (CBRN) attacks.
A co-ordinated response necessitates co-ordinated planning. Joint government-business scenario planning sessions and exercises that test their plans would allow lessons learned and experience in one area to be transferred to other parts of the country. This practical partnership would also help to build the trust between public and private sectors that is often lacking, especially in relation to matters of security.
Public-private partnership should not be regarded as being one directional – the government depends on business in a number of ways. The business community is responsible for developing the software and technology that can help tackle cyber and other forms of terrorism; many of the country's critical infrastructures are now privately-owned; the long-term stability of the UK following an attack depends on the business community getting back on its feet as quickly as possible; and there are now infinite dependencies between systems. Public-private partnership in tackling terrorism must be based on genuine principles of partnership. Businessmen may be unlikely counter-terrorists, but a national policy without them will make the UK a softer target for attack.
Rachel Briggs is Risk and Security Programme Manager at The Foreign Policy Centre. The Unlikely Counter-Terrorists, which she edited, was published by the Centre in November 2002 (£19.95 plus p&p). The Collection includes a foreword from Ken Livingstone and contributions from John Bray, Bruno Brunskill, Roger Davies, Bruce George MP, Dr Sally Leivesley, Richard Sambrook, John Smith, David Veness and Natalie Whatford. It was kindly supported by BAe Systems, Control Risks Group and the RSMF. To order a copy of the collection, contact Central Books (tel: 020 8986 5488, email: firstname.lastname@example.org).