SECURITY PLANNING: Living with Terror

Nearly six years before Sept. 11, 2001, Citibank, the Pittsford, N.Y.-based multinational financial services company, became starkly aware how vulnerable its operations were to terrorist attack. On the evening of Friday, Feb. 9, 1996, as weary office workers in London’s Canary Wharf area were heading home, IRA terrorists telephoned a series of coded warnings to media organizations about a bomb they had placed. As police hastily cleared the target area, the device exploded, killing two people, hospitalizing more than 100 others and damaging several buildings so badly that they subsequently had to be demolished.

The advanced warning and the fact that many workers had already left for the weekend undoubtedly contributed to the low number of fatalities. But so too did the fact that the building that took the brunt of the blast housed Citibank’s European backup hot site with 1,000 empty desks set up and ready to be used should any one of Citibank’s European offices?staffed and managed by Europeans?go out of action. Had the building not been purposely left empty, the police believe that the casualty toll would have undoubtedly been far higher.

For Citibank, which had operations in some 14 European countries, the blast was an unlucky reminder that?despite careful contingency planning?there’s no safe haven from terrorism’s disruption. While few disaster plans start with the premise that the backup facility may be devastated, throughout Europe?a region that has an unfortunate history of terrorism?planning for debilitating disasters is considered a normal part of business.

And there’s a growing sense that American companies are only now waking up to the same realization. “Businesses in the U.S. have been extremely complacent about terrorism,” says Professor Wendy Currie, director of the Centre of Strategic Information Systems at Brunel University in Uxbridge, England. “It’s very different from the attitude in some parts of Europe?such as London, Madrid and Paris?where people tend to be subconsciously on their guard.”

Consequently, American companies have a lot to learn from companies that operate in Europe. Certainly, the events at the World Trade Center and the Pentagon demonstrate the enormous disruption terrorism can cause. But, as European-based companies have learned, preparations in the form of backup sites and contingency plans are only part of the equation. Just as important is the adoption of a mind-set that acknowledges the threat of terrorism yet at the same time insists on a determination that business will go on.

Revamped Plans

Despite the devastation at Citibank’s hot site, not every company at Canary Wharf was so fortunate as to merely have empty desks disabled. While Citibank scrambled to find an alternate backup facility, other companies at Canary Wharf were addressing more fundamental issues. Like getting their company up and running again.

The Builder Group, a publisher of construction and property magazines, is one example. Its premises, too, were damaged so badly that they ultimately had to be pulled down. Yet unlike Citibank, The Builder Group had no standby facilities into which it could move. Without a backup site, and without access to its computers for five days while police and fire officials searched for clues, employees had to re-create their work from that Friday before the bomb detonated. While no magazine issues suffered, The Builder Group has since revamped its antiterrorism disaster plans, having learned bitter lessons from the experience.

Chief among those, says Bob Durrant, the company’s systems manager, is the recognition that the data held on office computers is more fragile than the hardware itself. Provided that the equipment isn’t totally destroyed, he says, it’s perfectly feasible to clean hardware up and bring it back into use, albeit temporarily. “It’s difficult, but at least you don’t lose everything like you do with fire or flood,” he says. “From that point of view, it’s a more survivable event.”

While The Builder Group had long kept backup data offsite, it also now keeps hardware offsite on which to run that backup data. Now, says Durrant, disaster plans call for The Builder Group to keep a general-purpose server on standby at an undisclosed offsite location. Preconfigured and ready to go, it sits there just in case.

Lightning Strikes Twice

For Citibank, more upheaval was to come. Ten days after the Canary Wharf bombing, an IRA terrorist prematurely detonated a bomb on a red double-decker bus driving down London’s Strand. The bomb went off right outside another Citibank location?ironically, one containing the office of independent IT consultant Keith Ford, a specialist in disaster recovery planning who was then engaged in advising Citibank on how to protect its operations.

Taken together, the two bombs composed something of a baptism by fire?but also an invaluable opportunity for Citibank to test its plan against real-life disasters. From the disaster planning perspective, the first bomb was “a nightmare scenario,” says Ford. “Disaster planning is all about thinking the unthinkable?but when you talk about possible scenarios, a bomb taking out your backup hot site has to be fairly unlikely.” Even so, the impact on day-to-day operations was limited. The second bomb, despite causing less damage, affected an operational unit.

The result for Citibank was twofold: An affirmation that previous plans worked, along with new lessons on how to improve them. Unlike at Canary Wharf, damage to computer equipment was light. Citibank had installed blast-proof windows in the building as insurance against precisely that sort of eventuality. Such windows contain a laminate layer in a glass “sandwich,” so that the window shatters but does not implode. That was the good news. Not quite so welcome was the associated learning point: It was to be some days before access to the building could be regained?and only then because of strong links between Citibank and London’s civil authorities (Citibank’s head of security was a former London police officer, says Ford). One of the largest companies involved in the attack, Citibank sent representatives to attend emergency planning meetings organized by London boroughs the City of Westminster and City of London, says Ford, who adds that many companies don’t follow Citibank’s practice. “Only when a bomb goes off do they then find that their own disaster recovery plans don’t dovetail with those of the civil authorities,” he says. When given the opportunity, Ford recommends that American business executives meet with local authorities to go over their plans for post-terrorist attack access to business premises.

To Ford, whose clients have included American-based companies with facilities in the United Kingdom, such as Capital One and Prudential, such dovetailing is essential if a plan’s goal is?in Prussian General Helmuth von Molke’s immortal words?to survive contact with the enemy. “Typically, companies’ disaster plans are event-based, or action-based, and don’t go into enough detail at the ’who’ level,” Ford says. For example, companies usually overlook the fact that just a handful of preauthorized people will be allowed access to a disaster site and then only for a limited period. “Plans generally assume that a thousand people can go about their business as before?and suddenly you have to confront the fact that only the facilities person, a technology person and a disaster recovery person are allowed past the yellow tape [cordons],” he says.

Getting in Touch

It’s precisely that kind of stark realization that prompts survivors to recognize that business continuity embraces much more than just a company’s computers. “Planning is vital, but you have to look beyond the IT issues to the business as a whole,” says Peter Lake, European business development director for Thomson Legal and Regulatory (part of the giant DC Thomson group), who as the managing director of Gee Publishing, another part of Thomson, saw his company’s premises shattered by the Canary Wharf bomb. Although Gee Publishing had a disaster plan?and indeed, had three copies of it offsite?the process of putting it into practice proved highly educational.

Among the chief lessons: Keep any disaster plan concise. Once the senior management team started putting the plan into action on that Friday evening, Lake says, it soon became clear that the level of detail contained within its several hundred pages was simply too great. Typical of the sort of information that Lake now feels Gee didn’t need to have was a section on how to set up an emergency team, which was simply too verbose to be useful. “In the event, you just get on and do it,” he says. The original plan also assumed that the consultative decision making typical of day-to-day operations would continue postattack. “My style was markedly different from that used to run the company normally,” says Lake. “Consensus was not as important as getting tasks done?so much had to be decided and quickly communicated.”

Some of the most useful pieces of information in the plan turned out to be up-to-date telephone numbers?including weekend contact information?for key members of staff, suppliers, local utilities and emergency services. With urgent decisions to be made about where to relocate, those numbers saved precious hours in tracking down the right individuals and getting them onsite. As part of the Thomson group, which has extensive London operations, Gee had access to empty office space in which to relocate, but it contained no furniture or computers. Contacting staff quickly was therefore an urgent priority, says Lake.

Yet it became clear that there were gaps in the plan; critically, it contained no listings of home contact details for employees apart from the key members of staff involved in post-disaster decision making. “We had the information alright,” says Lake, “but it was sitting in the personnel records and not held offsite.”

What followed was a weekend of telephoning staff, plugging into people’s social networks, finding employees home telephone numbers from individual colleagues and making contact that way. “By the Sunday night, we’d spoken to 108 out of the 113 employees.” Thanks, he says, to heroic efforts on Saturday and Sunday in setting up such basic facilities as a telephone switchboard and arranging for calls to be rerouted to it, a skeleton crew of staff were able to answer the phone on the Monday morning following the explosion, though most staff stayed at home on full pay until the furniture and computers were installed in the new premises. If another bomb were to go off today, Lake says, the Internet would undoubtedly remove some of the pressure to contact employees. Even so, he reflects, after such a traumatic occurrence “there is no substitute for being able to speak to everyone on a frequent and regular basis.”

A Wake-Up Call

Taken together, these experiences compose a fairly representative picture of how European companies in terrorism hot spots such as London, Madrid and Paris endure the possibility of disruptive terrorist attacks. While Europeans have simply factored the possibility of such disruption into the way they go about their business, U.S. companies have tended to assume that the problem of terrorism was one that wouldn’t afflict America. “We’ve had a deep-seated belief in the invulnerability of our infrastructure,” says Phil Lacombe, president of information and infrastructure protection at Arlington, Va.-based software company Veridian, and a former staff director of the President’s Commission on Critical Infrastructure Protection established by President Clinton in 1996. “We just don’t have any experience of being attacked?even in World War II. The last time America’s infrastructure came under attack was the War of 1812.”

Consequently, he believes, American companies have been remiss when it comes to preparing for the threat terrorism poses. During his time at the commission, recalls Lacombe, businesspeople would ask him for definitive information on the threat so that they could raise awareness to the point of getting money for deterrence. Such information was of course difficult to come by. Ironically, some members of the commission used to observe “that it would take an infrastructure Pearl Harbor before America would listen,” he adds. “That’s just happened.”

Steve Akridge, chief information security officer for Georgia’s Technology Authority, the Atlanta-based IT arm of the state of Georgia, shares similar concerns. A former U.S. Navy chief cryptologist who worked in Europe, Akridge sees a sharp contrast between American preparedness for terrorist attacks and the far less sanguine view prevailing overseas. “I’ve spent time in the U.K., and there are a lot of things that folks there have come to accept, maybe without even thinking about it anymore?like the absence of trash cans,” he says. (Trash cans are a favored location for terrorists’ bombs.) “I’m concerned that we’re now in that environment in America.”

And certainly, the events of Sept. 11 have acted as a kind of wake-up call. “It’s not a fire in an electrical room that they’ve got to prepare for or a flood,” says Akridge. “Instead, it’s utter devastation.”

European companies have shown themselves more willing to pay out the serious money required to provide themselves with the best form of protection against such devastation: backup facilities, ready to be moved into if necessary. In British eyes, the United States is underprovisioned with those facilities. “Having your computers backed up and your data safe is no use if there’s nowhere for people to operate those computers?what we call the bums-on-seats factor,” says John Kersley, general manger for global recovery services at SchlumbergerSema of Walton-on-Thames, England.

It is, he adds, a peculiarly American blind spot. “We estimate that only 20 percent of the businesses based in the World Trade Center had an adequate disaster recovery plan in place at the time of the attack,” he says. “In the whole of Manhattan, we could find less than 1,000 business continuity positions provided by third parties,” he says. “In London, we alone operate 6,000 positions?and we’re just one supplier.”

Such backup facilities are big business in the United Kingdom. Although New York City dwarfs London as a financial and commercial center, London has more than 1 million square feet of third-party-operated business recovery space compared with New York City’s 500,000 square feet, according to Kersley.

Recognizing terrorism as a risk of doing business is an attitude that prevails throughout Europe. “The incidence of ETA [the Basque terrorist group] terrorism in Spain is very localized, and sometimes we aren’t very comfortable knowing that a specific node of our network is in a place with a higher degree of risk,” says Paualino Folch, director of organization and IT at NestlŽ Esp‹na in Barcelona, Spain. “You can’t avoid such places?business is business?so you just have to live with the risk.” In such locations, NestlŽ applies the same technical security standards as elsewhere, but stipulates a higher degree of physical security such as restricted access and a careful choice of server location.

One thing seems certain. Whatever their chosen degree of protection, American companies now join their European counterparts in knowing that the unthinkable can indeed happen. While the events of Sept. 11 were extreme?no attack in Europe has even come close to matching their horror?never again will U.S. CIOs be able to assume that it can’t happen here. It has, and it could again. And that’s something Europeans have known for quite a while.