Category: Weblogs

Internet Security and the Paranoid Mindset

Posted on by Lucien Canton | Posted in WeblogsLeave a Comment on Internet Security and the Paranoid Mindset

Ever give much thought to cyber-attack? A lot of us are at least familiar with the concept but would we know one if we experienced it?

As an emergency manager, one of the things I really worry about is the slow-onset disaster – the event that starts low key and progresses so slowly that by the time you recognize something is happening, you're already behind the power curve. Training yourself to anticipate this kind of disaster means you sometimes come across as a bit paranoid.

So what's this got to do with cyber-attack? Consider the following:

  • On September 13, Chase bank experienced problems with it's website after software from a third–party database company corrupted information in its systems causing over two days of downtime and affecting millions of customers. Chase stated that this was a technical error.
  • On September 17, American Express suffered a systems outage. This was nothing major and the system was soon restored.

So, was this just a coincidence that two major financial institutions suffer outages within days of each other? That's certainly possible. Or is something more insidious going on here?

I guess it really depends on your level of paranoia.

Pacific Gas and Electric another BP?

Posted on by Lucien Canton | Posted in WeblogsLeave a Comment on Pacific Gas and Electric another BP?

Many of you I know have been following the recent tragedy in San Bruno, California. This one is a bit personal for me as I frequently drove by the area damaged by the gas explosion, some of the dead were friends of friends, and many of my colleagues are working on the scene, either in their official capacity or as volunteers.

We've reached that stage in disaster response where the shock is wearing off and the finger-pointing is beginning. Pacific Gas and Electric is taking flak for its maintenance procedures and has just been ordered to inspect more than 5,700 miles of pipeline. At this point, they're probably wishing they'd spent more on maintenance.

PG&E is cooperating fully with investigators and has pledged $100 million to help rebuild San Bruno. The pipeline was inspected in March and passed and rumors of complaints about the smell of gas days prior to the explosion do not seem to be substantiated. A portion of the damaged line was scheduled for replacement. This is all good news for PG&E.

However, PG&E is also supporting a proposal before the California Public Utilities Commission that would require customers to pay the uninsured portion of catastrophic fires, such as the one in San Bruno. It doesn't help that a lot of locals recall that PG&E spent about $40 million in the last election to defeat a public power initiative. Both of these are decisions based on the business needs of the company and were in place before the explosion. However, they do not play well with the public and are already beginning to affect PG&E's reputation. If it also emerges that there were corners cut in maintenance or delays in replacing the pipeline because of cost, PG&E may well find it itself in the same position BP did – in the cross-hairs with no place to hide.

Emergency Preparedness – Shifting the focus for emergency management

Posted on by Lucien Canton | Posted in WeblogsLeave a Comment on Emergency Preparedness – Shifting the focus for emergency management

September is National Preparedness Monthin the United States and Mother Nature is certainly doing her best to remind us of the importance of being prepared. Since September 1st we've seen a hurricane along the East Coast, a tropical storm in Texas that caused tornado watches, and a major wildfire in Colorado. As I write this, another tropical storm is building in the Atlantic. On the international scene, we've experienced a volcanic eruption in Indonesia, a tropical storm in Bermuda, and an earthquake in New Zealand. And the month isn't half over yet!

As an emergency manager, I'm a big supporter of anything that helps motivate people to prepare. However, I'm always a bit concerned when we launch one of these ad campaigns that we are not really making much of a difference. Dr. Dennis Mileti spoke at the International Association of Emergency Managers conference a few years ago and pointed out that a lot of how we try to influence behavior is not consistent with what social science research shows is really effective. Simply put, warnings and scare tactics don't work. People instead will do what everybody else is doing.

Part of the problem as I see it, is that we have made preparedness an end in itself and closely associated it with disasters. We focus on specific plans and kits and train in skills related to disaster. None of this is bad, of course, and I firmly support programs such as community emergency response teams (CERT). However, our approach tends to make preparedness something outside of every day life when it really should be part of how we live our lives. For example, most homes have a flashlight because it has multiple uses, not just because we need it in an earthquake. I'm also willing to bet that the flashlight you use daily works while the one in your emergency kit hasn't been checked since you bought it.

So let's try something a bit different for this National Preparedness Month. Rather than repeating a lot of the same material we always use, let's keep our preparedness advice grounded in the realities of day-to-day life. Let's encourage people to prepare because it helps us deal with daily life.

Preparedness – it's not just for disasters!

Disasters and Social Media

Posted on by Lucien Canton | Posted in Weblogs3 Comments on Disasters and Social Media

In my July newsletter I briefly discussed the Ushahidi Program as an example of the growing use of social media in disasters using. On August 9, the Red Cross released a survey showing just how important social media is becoming. The results are striking:

  • 69% of respondents believed emergency responders should be monitoring social media
  • 74% expected a response in less than an hour after a tweet or Facebook posting
  • 20% would contact responders through digital means if 911 was not answering

If respondents knew of someone in trouble, they would also turn to social media.

  • 44% would ask social media contacts to notify authorities
  • 35% would post a request for help on an agency's Facebook page
  • 28% would send a direct Twitter message to responders

Another finding that isof interest to emergency managers is that more web users say they get emergency information from Facebook than from NOAA weather radio.

I believe it no no longer matters whether emergency managers choose to take social media seriously. We really have no choice. Our profession is driven, to a large extent, by public expectation. In this case, that expectation is clear – the traditional methods by which we communicate with the public are no longer sufficient.

Solar Storms – Do They Matter?

Posted on by Lucien Canton | Posted in Weblogs2 Comments on Solar Storms – Do They Matter?

Effective emergency management begins with an assessment of risk. The problem is in identifying hazards and their potential impact on the people and organizations we serve. It seems there's a never ending stream of hazards.

Some of them are not very noticeable. According to NASA, on August 1 there was considerable activity on the earth-facing side of the sun: a C3-class solar flare, a solar tsunami, multiple filaments of magnetism lifting off the stellar surface, large-scale shaking of the solar corona, radio bursts.

The activity also included two coronal mass ejections (CME), one of which sparked a G-2 (on a scale of G-1 to G-5) magnetic storm on earth on August 3 that lasted 12 hours. Sounds ominous but it did little more than spark Northern Lights over Europe and North America. The second is still on the way and, according to NOAA's Space Weather Prediction Center, may produce a major magnetic storm tomorrow.

Here's NASA's definition of a CME:

CMEs are large clouds of charged particles that are ejected from the sun over the course of several hours and can carry up to ten billion tons of plasma. They expand away from the sun at speeds as high as a million miles an hour. A CME can make the 93-million-mile journey to Earth in just two to four days. Stronger solar storms could cause adverse impacts to space-based assets and technological infrastructure on Earth.

So what's my point? As I've said many times, risk is relative. For most of us, solar storms have no discernible effect, beyond putting on a natural light show. However, large scale storms have the capacity to damage power systems, disrupt communications, and degrade high-tech navigation systems. If you work with or rely on these systems, you should at least be aware of the potential impacts of solar storms. Monitoring solar activity might be cheap insurance.

My thanks to my friend and colleague, Regina Phelps, whose blog H1N1 (Swine Flu):  If It’s Not One Thing, It’s Another…Solar Tsunami to Strike Earth, inspired this article!

Disaster Mythology in Maryland

Posted on by Lucien Canton | Posted in Weblogs1 Comment on Disaster Mythology in Maryland

I just received an interesting note from my friend and colleague, Rocky Lopes. It seems that the recent 3.6 earthquake in Maryland rattled a bit more than windows. Here in California, we use 5.0 earthquakes to stir our coffee, so a 3.6 would probably not be noticed in most places. However, Maryland rarely gets earthquakes, so this one got their attention. Unfortunately, according to Rocky, a lot of the information and comments making the rounds after the temblor were based on what we call disaster mythology – something very akin to folklore. These included things like the old "stand in the door" response. On the plus side, Rocky was asked to appear on a local news show and did his best to correct some of the misinformation.

There are a couple of lessons here. The first is that we truly have to be all-hazards in our planning. As we do our risk analysis, we should plan not only for the most likely event but for other possible events as well and that planning should include pre-scripted public safety announcements. Secondly, in this age of rapid communications, we need to get our message out to the public almost immediately. We can't afford to wait and then try to counter rumors and old folk tales.

Does foreseeability equal responsibility? Another lesson from BP.

Posted on by Lucien Canton | Posted in WeblogsLeave a Comment on Does foreseeability equal responsibility? Another lesson from BP.

Here's another for the "you can't make this stuff up" category.

One of the basics of liability is the concept that if an event is foreseeable, you need to have at least considered it in your planning. This usually comes down to proving whether or not an event was foreseeable, a question usually decided by a jury. To prove foreseeability, attorneys will usually go after things like company memos, emails between executives, studies and so forth.

So let's suppose you're sitting on a jury deciding whether BP's oil spill was foreseeable. BP, of course, is arguing that it was not. Then the plaintiff's attorney trots out the following:

BP Oilstrike

Yes, there it is – a 30 year old board game from BP where four players compete to be the first to make the big bucks. One of the hazards is:  "Blow-out! Rig damaged. Oil slick cleanup costs. Pay $1 million."

Thanks to the good people at The Consumerist for brightening my morning. You can find more photos of the game at BoardGameGeek.

There are two lessons here for us. As I have said repeatedly, there really is nothing new under the sun. Any disaster you can come up with has happened at some point in history (okay, you wise guys, maybe not extraterrestrial invasion, unless you're fan of Erich von Daniken), so everything really is foreseeable. Secondly, the Internet never, ever forgets!

So how do you vote, Juror Number Five?

You Can Run But You Can’t Hide: Another Lesson From the Gulf Spill

Posted on by Lucien Canton | Posted in Weblogs4 Comments on You Can Run But You Can’t Hide: Another Lesson From the Gulf Spill

My good friend, Art Taber, sent me a link to BP'sRegional Oil Spill Response Plan – Gulf of Mexico dated June 30, 2009. Although Art is not an emergency manager, he took the time to read the 583 page document and offered the following observations:

  1. In a section titled “Sensitive Biological & Human-Use Resources,” the plan lists “seals, sea otters and walruses” as animals that could be impacted by a Gulf of Mexico spill;
  2. It lists a Japanese home shopping website as the link to one of its "primary equipment providers for BP in the Gulf of Mexico Region [for] rapid deployment of spill response resources on a 24 hour, 7 days a week basis". While I can't read Japanese, it does seem to me that: http://www.msrc.com/Equipment.htm is not a purveyor of oil-spill related cleanup supplies or heavy equipment;
  3. It directs BP media spokespeople to never make "promises that property, ecology, or anything else will be restored to normal." {Like the statements that their CEO has been making?};
  4. It contains no information about tracking sub-surface oil plumes from deep water blowouts such as those now billowing from the damaged oil well that the Deepwater Horizon was drilling before it exploded on April 20. {Like those plumes that BP denies are occurring?};
  5. It includes no information about currents, tides, prevailing winds, possible hurricanes or other oceanographic or meteorological conditions, even though such data are essential for effective oil spill response;
  6. It contains no information about preventing disease transmission (such as viruses or bacteria) to captured animals in rehabilitation facilities, which was identified as a serious risk after the Exxon Valdez oil spill in 1989;
  7. In the chapter on "Worst Case Discharge" offers assurances that within hours of any incident, regardless of size, "personnel, equipment, and materials in sufficient quantities and recovery capacity to respond effectively to oil spills from the facilities and leases covered by this plan, including the worst case discharge scenarios" will be deployed.

Whether Art's observations are accurate is not the point. What is important is that in this day and age, your plans are readily accessible to informed and involved citizens like my friend Art and you will be held accountable for their contents in the court of public opinion. And before you use this as an argument that your plans should notbe posted on the Internet, remember that these plans must be provided to a private citizen if you're a government agency under the Freedom of Information Act or during pre-trial discovery in a lawsuit if you're a private organization. Regardless, electronic media files are still easier to leak to the media than hard copies were in the days of the Pentagon Papers. Sooner or later, the public is going to get to read them.

So what's the solution? Do I really need to spell it out? Stop writing plans merely to meet requirements and start writing plans that really address the problems they were intended to solve. Want it simpler? Do the right thing.

Learning from Catastrophe?

Posted on by Lucien Canton | Posted in WeblogsLeave a Comment on Learning from Catastrophe?

A recent op-ed piece in the San Francisco Chronicle by Ian Mitroff dealt with lessons that we should be learning from the recent oil spill in the Gulf. Mitroff is a professor at Alliant University in San Francisco and a senior investigator in the Center for Catastrophic Risk Management at UC Berkeley. He makes four very salient points:

  1. preparedness before the event is essential in reducing the impact of the event,
  2. your record of past performance is readily available making it futile to try to reduce liability by pleading ignorance or unforseeability,
  3. mitigation is cost effective – it's cheaper than paying damages in most cases. and
  4. it's pointless to try to blame others when you are responsible for your failures

Part of my frustration is that this is the same message we've been trying to communicate for years as emergency managers but our leaders are still not getting it. Part of the reason is that deep down in the hidden recesses of their hearts, most people really don't believe a disaster will happen; that if it occurs, it won't happen to them; or if it does happen to them, it won't be that bad. That's human nature.

However, when you're in a position of responsibility with the lives and livelihood of others depending on you, it might just be in your own best interests to listen to your advisors and do something about mitigation and preparedness before something bad happens. It's cheaper and better than trying to explain to the public and your shareholders after the event why you didn't do spend a few dollars to prevent a catastrophic loss.

Worst Case Scenarios

Posted on by Lucien Canton | Posted in WeblogsLeave a Comment on Worst Case Scenarios

One of the recurring questions in emergency management involves how we use risk assessments in planning. On the one hand, we need to focus on objective risk – risk that is most likely to occur and is credible. On the other hand, we understand that we are frequently dealing with events that fall into the high impact, low frequency category and there is little evidence on which to base a true risk analysis.

I've argued elsewhere that the "gloom and doom" approach doesn't sell to senior executives. I've also argued against scenario-based planning except in specific cases. However, I've never been able to articulate just what I felt was wrong with worst case scenarios. Thankfully, Bruce Schneier has done so in a recent blog titled Worst Case Thinking, an article that should be required reading for emergency managers.

Schneier makes four excellent points about worst-case scenarios:

  1. They focus on extreme but improbable risks and do not do a good job of assessing outcomes.
  2. They are based on flawed logic, assuming that is necessary to prove the scenario impossible.
  3. They can be used to support any position or its opposite.
  4. They validate ignorance by focusing on the unknown rather than on what is known.

Worst-case scenarios play on our fears and force us to make bad decisions. One can also argue that relying on a worst-case scenario is easier than making hard decisions that carry a certain amount of risk. We have a tendency to act as if the worst-case scenario is the most likely scenario and therefore we hesitate to act or, as has become the case over the last few years, to over-react.

It's worth remembering that use of risk management is one of the Principles of Emergency Management.