The crime committed by Mrs. Bill Clinton...translated into English.

Friend, fellow Army veterans and long time sharer of 1835 Bourbon, Mike Ford, has written another article for American Thinker and again, he's knocked out out the park. This explains in good details how the former Secretary of State tried to get around established federal law in handling classified data.

Hillary's Email: It's a Felony!

The constant "drip, drip drip," regarding former Secretary of State Clinton's e-mail is starting to sound like so much inside baseball. Secretary Clinton continues to stand on her statement that none of the e-mail she sent or received had classified markings. Other folks in the conversation comment that many of the e-mails Secretary Clinton wrote and received were "born classified," at the time she wrote or received them.

We need to cut to the chase. Somebody committed a felony, likely several. If, as some reports have indicated, there was certain overhead imagery, marked or unmarked on Secretary Clinton's e-mail server, someone committed a serious crime. The way government information/automation systems are set up, someone had to take a deliberate series of felonious actions in order for that imagery to get there. Period.

One such action appears to be confirmed yesterday in an article in National Review by Brendan Bordelon entitled: Clinton Pushed Aide to Strip Markings from Sensitive Documents, Send through ‘Nonsecure’ Channel:

During a 2011 e-mail exchange, Hillary Clinton urged top aide Jake Sullivan to strip classified talking points of all markings and send them through “nonsecure” means after a secure fax line failed to function. On the night of June 16, 2011, Sullivan told Clinton that important talking points on an undetermined issue would be faxed to her the following morning. When Clinton informed Sullivan that the talking points had not yet materialized, he began a frantic search for the problem. “They say they’ve had issues sending secure fax,” he wrote to Clinton 15 minutes later. “They’re working on it.” “If they can’t, turn into nonpaper with no identifying heading and send nonsecure,” Clinton replied. (Emphasis mine)

Instead of getting into a detailed primer on Department of Defense and Department of State electronic communications, I'll give you the short version. Although the State Department and the Department of Defense use different systems for their unclassified communications, they do share some of the same systems for their classified traffic.

The unclassified systems used by Defense and State have e-mail, file sharing and teleconferencing capabilities. Those systems also have access to the Internet. Some agencies allow their employees to use their unclassified computers to conduct limited personal business, such as sending e-mails and looking at The Weekly Standard online, during their breaks. These employees can also send e-mail to private addressees from this system.

The classified systems the agencies use jointly are:

SIPRNet (Secret Internet Protocol Router Network): used to transmit material that is classified CONFIDENTIAL or SECRET. It may not be used to transmit TOP SECRET material.

JWICS (Joint Worldwide Intelligence Communications System): used to transmit TOP SECRET information, to include highly classified satellite imagery. The JWICS system is where Private Bradley Manning obtained the information he later gave to Wikileaks. This is also the system the State Department uses to routinely receive and access satellite imagery and imagery analysis, along with other TOP SECRET information.

What is important to understand is that, except for extremely rare and tightly controlled circumstances, JWICS, SIPRNet and the in-house unclassified systems do not connect to each other. Except for that very rare exception, the only way to get information from one system to another is to use a system I have yet to introduce, the SneakerNet. "SneakerNet" is IT slang, referring to someone taking information on one system, saving it to portable media, disk or thumb drive and walking ("sneakering") it over to the other system and uploading it, thereby bypassing the procedural safeguards inherent in separate, unconnected systems. An alternative, using the same concept, would be to print the data from a JWICS terminal (possibly inside the State Department) and then scan the hard copy into an unclassified system. This method would also work were someone get access to a hard copy document or photo handed out at a meeting.

One of the advantages of this unconnected system of systems is that it virtually eliminates "spillage," the accidental release of one level of classified information into an arena not cleared for it. If there was reconnaissance satellite imagery or analysis of that imagery on Secretary Clinton's server or any other unclassified system, then someone had to take a series of deliberate and felonious steps to put it there.

A photo would have had to have its markings deliberately removed. Then it would have had to have been copied from JWICS onto removable media (or printed out) and uploaded (or scanned) to either an unclassified computer & e-mailed to Secretary Clinton, or directly uploaded to her server. In the case that what was on her server was merely a written assessment of what the imagery shows, the above still pertains. Someone had to make a series of deliberate decisions and steps to either copy or transcribe the assessment from JWICS and send it via a nonsecure e-mail to Secretary Clinton.

What this means is that the conversation about this being a mistake, accident, or minor error in judgment, is a flat out lie. In my humble opinion, this lie should be rolled into an obstruction of justice charge -- yet another felony.

Disclosure: The last time I personally used any of these systems was in 2012. Systems and procedures have likely changed since then.

Mike Ford is a former Infantry Colonel. He has served in Europe, Central America and in Southwest Asia, Commanding at the Detachment, Company, Battalion and Brigade Levels.

One of the points I made on a recent FB post is before being allowed access to classified data, all employees (civilian and military) must sign a Standard Form-312 Classified Information Non-Disclosure Agreement. I pointed out the beginning of the form, (emphasis mine)

AN AGREEMENT BETWEEN Mrs. Bill Clinton AND THE UNITED STATES

1. Intending to be legally bound, I hereby accept the obligations contained in this Agreement in consideration of my being granted access to classified information. As used in this Agreement, classified information is marked or unmarked classified information, including oral communications, that is classified under the standards of Executive Order 13526, or under any other Executive order or statute that prohibits the unauthorized disclosure of information in the interest of national security; and unclassified information that meets the standards for classification and is in the process of a classification determination as provided in sections 1.1, 1.2, 1.3 and 1.4(e) of Executive Order 13526, or under any other Executive order or statute that requires protection for such information in the interest of national security. I understand and accept that by being granted access to classified information, special confidence and trust shall be placed in me by the United States Government.

2. I hereby acknowledge that I have received a security indoctrination concerning the nature and protection of classified information, including the procedures to be followed in ascertaining whether other persons to whom I contemplate disclosing this information have been approved for access to it, and that I understand these procedures.

3. I have been advised that the unauthorized disclosure, unauthorized retention, or negligent handling of classified information by me could cause damage or irreparable injury to the United States or could be used to advantage by a foreign nation. I hereby agree that I will never divulge classified information to anyone unless: (a) I have officially verified that the recipient has been properly authorized by the United States Government to receive it; or (b) I have been given prior written notice of authorization from the United States Government Department or Agency (hereinafter Department or Agency) responsible for the classification of information or last granting me a security clearance that such disclosure is permitted. I understand that if I am uncertain about the classification status of information, I am required to confirm from an authorized official that the information is unclassified before I may disclose it, except to a person as provided in (a) or (b), above. I further understand that I am obligated to comply with laws and regulations that prohibit the unauthorized disclosure of classified information.

4. I have been advised that any breach of this Agreement may result in the termination of any security clearances I hold; removal from any position of special confidence and trust requiring such clearances; or termination of my employment or other relationships with the Departments or Agencies that granted my security clearance or clearances. In addition, I have been advised that any unauthorized disclosure of classified information by me may constitute a violation, or violations, of United States criminal laws, including the provisions of sections 641, 793, 794, 798, *952 and 1924, title 18, United States Code; *the provisions of section 783(b}, title 50, United States Code; and the provisions of the Intelligence Identities Protection Act of 1982. I recognize that nothing in this Agreement constitutes a waiver by the United States of the right to prosecute me for any statutory violation...

She knew what she was doing, but the law doesn't apply to her. Why is it the Obama Regime's Just-Us Department is actively sabotaging the campaign of Mrs. Bill Clinton? They know this will seriously damage the chances of the Democrats in retaining the presidency. Two crazy theories I throw out. One, B Hussein Obama knows had hardly the country is suffering under his economic policies, Obamacare, etc and the real pain will come in after January 2017. He may want the Republicans in the hot seat. Or his hatred of the Clintons may extend past his hatred of the Republican, so he will do what he can to keep her out of the Oval Office. Stay tuned folks!

Security Weekly: Lessons From a Murder in Medellin, October 1, 2015

By Scott Stewart

On the evening of Friday, Sept. 25, American tourist John Mariani left his hotel in Medellin, Colombia, and jumped into a taxi. The 65-year-old New Yorker was staying at one of the many high-class hotels in Medellin's upscale El Poblado neighborhood. But shortly after leaving the hotel, the taxi picked up a tail and was followed by a car and a motorcycle. The drivers of the trailing vehicles reportedly forced the taxi to stop and confronted the driver and Mariani at gunpoint, demanding their wallets and personal belongings. When Mariani refused the gunmen's demands to relinquish his belongings, he was shot dead.

Mariani's tragic death provides a number of security lessons for other travelers.

Understanding the Threat

Colombia has come a long way from the wild days of the late 1980s and early 1990s, as has Medellin, which was once the dangerous headquarters of Pablo Escobar's powerful and brutal Medellin Cartel. Colombia and Medellin are far safer for foreigners to visit now, but crime remains a problem. Indeed, even though the government is making progress in its efforts to negotiate a peace settlement to end its decades-long communist insurgencies, "peace" in Colombia will not automatically result in security. Many of the current rank-and-file members of the Revolutionary Armed Forces of Colombia and National Liberation Army will likely join criminal bands known as Bacrim once they are demobilized. Understanding such dynamics — and how local criminals operate — is one of the most important steps in planning a safe trip abroad.

One place to find this kind of information is publications from the U.S. and foreign governments. For example, the U.S. Department of State's Consular Information Sheet for Colombia states the following in the crime section:

Violent and petty crime remains a significant concern in Colombia. Robbery and other violent crimes, as well as scams against unsuspecting tourists, are common in urban areas. Generally speaking, if you are the victim of a robbery, you should not resist. Firearms are prevalent in Colombia and altercations may turn violent.

This is exactly what happened in the Mariani case: His resistance to the criminals' demands led to a rapid escalation of violence and his death. Normally in Colombia, if you surrender your valuables, you will not be harmed; this is why the U.S. Embassy advises American citizens not to resist. Of course, the type of crimes common in a location will dictate how a traveler should respond to a given threat, so it is important to understand the threat.

Avoiding the Threat

In all circumstances, it is better to see a threat developing and take actions to avoid it than it is to be caught off guard by armed criminals. Because of this we recommend that people practice a proper level of situational awareness, especially when and where the security threat is elevated — for example, going out on the street after dark in Colombia.

It is also important to understand that street crimes, even those that appear to be random, are not. They follow a discernable planning cycle. Although this cycle will vary in duration depending on the type of crime — a purse snatching will likely require a much shorter cycle than a kidnapping for ransom — there are points during that planning cycle when the criminals planning the crime are vulnerable to detection. This is especially true while the criminals are "casing" or conducting surveillance on the potential victim during the target selection and planning phases of the cycle, and as they deploy for the attack. It is by detecting the preparatory activities of the criminal planning cycle that a victim practicing good situational awareness can spot a crime developing and take action to prevent the criminals from consummating their crime — such as dialing the police or turning and walking the other way to avoid the attack zone.

However, once a person has been caught off guard — especially by armed criminals — it is generally advisable to comply with the criminals' demands rather than resist. Armed criminals in many parts of the world will not hesitate to use brutal violence if they are challenged. The advice to comply is particularly applicable when the criminal's demands do not involve something life-threatening. Even in the case of a crime that may result in a significant financial loss, such as an express or traditional kidnapping, it is still better to be a live victim than a dead body. One of the rules of thumb I use in travel security briefings is that no possession is worth your life. But even then, it is better to simply not take important sentimental items with you when traveling to a crime-prone area, because such items could tempt you to hesitate to surrender them. In many parts of the world, a criminal will cut your engagement ring off your dead finger if you refuse or even hesitate to give it up.

Of course the equation is dramatically different in a situation where the criminal encounter is likely to be life-threatening, such as a kidnapping by criminals who could sell you to the Islamic State. In such instances, it is better to attempt to run, hide or fight than to comply.

The Trouble With Taxis

At this point we do not know if Mariani took a registered taxi or an unofficial, "black" taxi. However, by their very nature, taxis are a problem for travelers all around the world. Taxi drivers pose a number of threats, some of which are relatively benign, such as overcharging for a ride. Crimes like this can even occur in areas of the world considered safe. However, in some parts of the world, taxi drivers can pose a more dangerous threat, such as actively helping a criminal gang rob or kidnap — whether express or traditional — a traveler.

Taxi drivers, by nature, are in a position of power because they know where they are going and how much the ride should cost. One way to mitigate the driver's power is through preparation prior to the ride. This can be done by researching travel blogs, using a map, contacting a hotel or asking business associates and contacts in country. A traveler should also use only sanctioned taxis. Many cities will have designated taxi stands where a person can go to hail a taxi. A traveler can often get an estimated fare from this stand. Hotel and restaurant doormen will also usually be willing to hail a reliable taxi for customers. It is generally advisable to never hail a taxi from the street by yourself, especially in a high crime threat location such as Colombia.

In the end, Mariani's death is a tragic event but one that probably could have been avoided. Hopefully, this tragedy can serve as a lesson for other travelers.

Lessons From a Murder in Medellin is republished with permission of Stratfor.

Hackers and their beliefs.

As some of you know I'm in the sunset of my master's degree program in Intelligence Studies-Homeland Security, and right now I'm in the middle of a Cyberwar Class. I'm not a techno geek but I have to say this is an excellent class and right now I'm completing a book review on Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon. It's facinating to read how this weapon was designed and the fact is had some effect but more could have happened without the work of several cyber specalists.

Now today I was looking at my Foreign Policy email and saw this article. I have to say an interesting read. Many of today's "leadership" have no clue of the power of cyber battlespace. Here are the hightlights:

Now is the time to understand more about vuln, so that we may fear less.

By Micah Zenko

August 19, 2015

For a forthcoming book, I spent the last several years interviewing over 100 security researchers, usually self-described as “hackers,” attending security conferences, and watching how these professionals uncovered vulnerabilities and shortcomings in software, computer systems, and everyday devices in order to update and improve them. These ethical, or “white-hat,” hackers are defined primarily by their innate curiosity to discover what new authorized or unauthorized hacks they can accomplish, whether as a hobby or a profession, and their work is usually some mixture of the two. The most simplified way in which this is often explained is “taking something, and making it do something else.”

Hackers are often mistakenly portrayed in popular culture as being inarticulate geeks wearing hoodies — or worse, ninja suits — and possessing limited social skills. I have come to appreciate that the very opposite is true. Despite lacking the technical background required for their profession, I have found that security researchers are more than willing to share their findings, rephrase them repeatedly in simplified terms, discuss their growing concerns about their field, and address the inevitable follow-up questions....

1. Your life is improved and safer because of hackers.

The Internet of Things — the ecosystem of Internet-connected devices — is growing exponentially and will have increased from 13 billion in 2013 to more than 50 billion by 2020, by one estimate. The near ubiquity of chips, sensors, and implants placed into devices will provide users continuously updated cool features and conveniences like smart yoga mats that correct poses and automobile routing notices that help people avoid traffic jams. However, as one hacker explained to me, “What is an expected feature for you is attack surface for me.” Security researchers have successfully hacked — and disclosed their findings to manufacturers before any public revelations — pacemakers, insulin pumps, commercial airliners, industrial control systems for critical infrastructure, hotel key cards, safes, refrigerators, defibrillators, and “smart” rifles. These products were made safer and more reliable only because of the vulnerabilities uncovered by external hackers working pro bono or commissioned by companies, and not by in-house software developers or information technology staff.

2. Almost every hack that you read about in your newspaper lacks important context and background.

You’ve read the eye-popping headlines: “Hackers Remotely Kill a Jeep on the Highway — With Me in It,” “How Your Pacemaker Will Get Hacked,” “Skateboards, drones and your brain: everything got hacked,” “Cars can be hacked. What about a plane?” These sensationalized snapshots and accompanying stories give the impression that everything is vulnerable and easily broken into.

Yet most attempted cyberbreaches go nowhere and are never demonstrated live at a conference or reported in the news. Successful hacking entails failing, trying something different, failing again, and then discovering a flaw or vulnerability that can be further exploited. Hacks that appear in the media are often the result of extensive work by teams of researchers who have varying skills and a deep knowledge of coding, operating systems, and malware that can be repurposed for their current project.

Take, for example, the widely reported Jeep Cherokee hack. It was conducted by Charlie Miller and Chris Valasek, two of the most technically proficient hackers on Earth. Miller holds a Ph.D. in mathematics, worked at the National Security Agency, and was the first person to remotely hack an iPhone, as well as a dozen other “secure” consumer products. Their Jeep hack was the result of an expensive and extensive three years of research that uncovered a number of vulnerabilities in the cars themselves, as well as the Sprint cellular network that provides the telematics for the in-car Wi-Fi, real-time traffic updates, and other aspects of remote connectivity. The point being that each publicly reported hack is unique onto itself and has an unreported background story that is critical to fully comprehending the depth and extent of the uncovered vulnerabilities.

3. Nothing is permanently secured, just temporarily patched.

Hackers experience “constant occupational disappointments and personal/collective joys,” as cultural anthropologist Gabriella Coleman found in her important study of the field. They identify a glaring and obvious weakness, which is then addressed with a software patch, alteration in network architecture, or perhaps minor changes to the IT team and employee procedures. Yes, when the inevitable software glitches appear elsewhere, or an employee clicks open what he believes is an emergency email about his retirement account but that actually installs undetected, malicious code on his computer, new vulnerabilities inevitably reappear. “Cybersecurity on a hamster wheel” is how longtime hacker Dino Dai Zovi describes to me this commonly experienced phenomenon.

For example, consider the femtocell, which is a miniature cell-phone tower that looks like a normal Wi-Fi router. It is used to prevent coverage “dead zones” in rural areas or office buildings, and any cell phone within its vicinity will associate with it without the owner’s knowledge. In 2011, The Hacker’s Choice (THC), which was a hacking collective, was able to get root access to a Vodafone femtocell by reverse-engineering the administrator password — it was “newsys.” This allowed the THC team to steal the voice, data, and SMS messages from all connecting phones. In 2013, a team at the cybersecurity firm iSEC Partners did this with a Verizon femtocell by exploiting a built-in delay in the boot-up process. At the DEF CON security conference this year, Yuwei Zheng and Haoqi Shan successfully hacked a femtocell in China using a slightly more complicated vulnerability in the boot-up process. I spoke with Zheng and Shan after their presentation, and they explained that the hack took them about a month of work, at night after their day jobs. Inevitably, other femtocells will be hacked, and patched, and hacked again in the future.

4. Hackers continue to face uncertain legal and liability threats.

You would think that manufacturers would welcome somebody discretely alerting them to a vulnerability in their products, and, indeed, some incentivize this through “bug bounties” that pay hackers who responsibly disclose security shortcomings. However, some manufacturers refuse to acknowledge that the shortcomings exist, threaten to file lawsuits, or report the researchers to law enforcement authorities under the belief that they are being blackmailed. It is important that white-hat hackers are protected and encouraged to do their work, because for every hack that they disclose to manufacturers, there are other government, criminal, or malicious hacking teams that have probably found the same vulnerability, which they have kept to themselves to exploit or sell on the black market.

There are two pressing legal and regulatory concerns. First, hackers argue that the U.S. Computer Fraud and Abuse Act (CFAA), which was passed into law the same year that Matthew Broderick hacked his high school’s computer network to change his grades in Ferris Bueller’s Day Off, is hopelessly out of date and has been abused by prosecutors to go after individuals engaged in non-malicious hacking rather than actual computer crime. The law prohibits anyone from intentionally accessing a computer or computer network “without authorization” or “exceed[ing] authorized access.” In one case, three Massachusetts Institute of Technology students who found vulnerabilities in the Massachusetts Bay Transportation Authority (MBTA) ticketing system that would allow people to obtain free rides were barred by an MBTA restraining order from presenting their findings in 2008 — implying that discussing a hack was equal to undertaking it. More tragically, Aaron Swartz committed suicide in January 2013 while facing up to 35 years in federal prison for 11 purported violations of the CFAA. Sensible proposals to update and reform the CFAA have unfortunately gone nowhere.

Similarly, the Wassenaar Arrangement, a multilateral export-control regime, faces criticism for threatening the effectiveness and efficiency of increasingly commonplace bug-bounty programs. This would not only risk what have been successful programs, but would disproportionately hurt independent, self-employed hackers who make a living this way. The U.S. Commerce Department’s Bureau of Industry and Security recently proposed an update to Wassenaar that would require licenses when exporting intrusion software technology — a change that is believed would likely hinder research and development and slow the process of disclosing vulnerabilities.

5. There is a wide disconnect between cyberpolicy and cybersecurity researchers.

At cybersecurity roundtables and conferences in Washington, generally few people in the room have any technical knowledge or have personally engaged in any sort of hacking. Rather, these events are attended by security generalists (like yours truly) who clumsily transfer concepts from other domains, particularly deterrence theory, which was developed a half-century ago for thinking through U.S.-Soviet Union nuclear war dynamics. “We are trying to bridge the gap by building a network of foreign-policy wonks, reps from the tech companies, and technology experts,” said my colleague Adam Segal, director of the Council on Foreign Relations’ Digital and Cyberspace Policy Program, “but there are still big differences in culture and outlook.”

Meanwhile, hackers hate the very word “cyber” because it is a meaningless prefix for anything related to the Internet and overlooks other aspects impacting computer security, like physical security, social engineering, insider threats, and radio-frequency jamming, hacking, or spoofing. Nevertheless, they will embrace the term reluctantly in order to be listened to in Washington, though they are rarely invited to government or think-tank events, nor would they even know how to be invited. The consequences of this disconnect are evident in policy proposals and debates that rarely take into account responsible hackers’ concerns or the readily available exploits and malware that any malicious hacker could utilize.

There are some hackers and government officials making efforts to bridge this divide. Representatives from the I Am The Cavalry grassroots movement, which focuses on cybersecurity issues that impact public safety and human life in order to ensure that technologies are trustworthy, have given more than 200 briefings on Capitol Hill. Meanwhile, government officials like Ashkan Soltani, chief technologist of the Federal Trade Commission, is a regular contributor to hacker conversations, and Suzanne Schwartz of the Food and Drug Administration called in to thank I Am The Cavalry during the BSides Las Vegas conference, while Randy Wheeler of the Bureau of Industry and Security took tough questions over the phone about the proposed Wassenaar Arrangement changes during an Electronic Frontier Foundation panel at DEF CON. Nevertheless, there are still too few security researchers and government officials willing or courageous enough to communicate in public. While the poisoning of the relationship that resulted from the Edward Snowden disclosures has largely dissipated, far more trust and dialogue is needed as Internet-based threats proliferate.

6. Hackers comprise a distinct community with its own ethics, morals, and values, many of which are tacit, but others that are enforced through self-policing.

Predominantly, hackers just want the freedom to do their work and remain private or anonymous from the government or commercial sector if they so choose. They look down on colleagues who claim to have produced “unbreakable” encryption software or mobile devices or who spend too much time bragging in the news rather than demonstrating serious, innovative research in published papers.

Hackers also share a deep appreciation for self-deprecation and black humor. When a speaker canceled at DEF CON, there was a spirited round of “Spot the Fed,” where a moderator who knew several government employees in the audience encouraged others to try to identify them. They were unsuccessful; everybody thought all government and law enforcement workers were men wearing khaki pants (fair enough). There was also a first-time panel appropriately titled Drunk Hacker History. It included garbled tales from prominent hackers and Katie Moussouris of HackerOne singing her own composition: “History of Vuln Disclosure: The Musical.” Hopefully, this panel will appear on YouTube, as many DEF CON talks eventually do....

The next high ground in battle will be invisible. Cyberwarfare is a great challenge to us, our allies and our adversaries and I fear we are not, as of yet, up to the task.

Security Weekly: Security for Meetings, March 19, 2015

By Scott Stewart

In last week's Security Weekly I discussed an attack against U.S. Ambassador Mark Lippert in Seoul that occurred as he was attending a breakfast meeting hosted by the Korean Council for Reconciliation and Cooperation at the Sejong Center for the Performing Arts.

After that article, I received an email from a friend who works for a large global nongovernmental organization. He asked if I could write a Security Weekly discussing how people without a security background can help plan security for meetings and conferences. I'd be remiss if I didn't first recommend that NGOs, companies and academic institutions hire or train up competent security professionals to help them secure their people and assets. However, I also understand that budgets — and sometimes organizational and corporate culture — often make that difficult, and as a result non-security people are often tasked with planning conferences and meetings.

As a final disclaimer, there is so much variation in the size and type of meetings and conferences that no guide can possibly cover them all. But I will try to provide some general guidelines.

Step 1: Threat Assessment

To assess the threats to meeting participants, you must first have a full understanding of the meeting's format and purpose. A small, private, invitation-only meeting requires far different security preparations than a large meeting open to the public and advertised in advance. Obviously, it is preferable that the threat assessment be completed before a location and venue are selected and be used to help guide those decisions rather than being done after the fact.

When considering the types of threats that could affect meeting participants, it is also important to remember that not all threats are connected to violence. Intelligence threats, natural disasters, fire, medical emergencies and health threats such as disease must also be considered.

The threat assessment must be conducted at several levels to determine an appropriate venue for the desired type of meeting, considering the specific venue, but also the city, region and country, for potential threats. Should we hold this meeting in Kandahar, or is Kabul safer? Do we stand a greater risk of losing proprietary information if we hold our Asian sales conference in China instead of Japan? Given the French emphasis on economic espionage, do we really want to have our corporate board meeting in Paris? Should we hold that meeting in New Delhi during prime dengue season? The primer we published for planning a safe trip abroad provides a list of good resources for obtaining much of the information required for such an assessment. Local contacts and trusted in-country security contacts can also be valuable in this process, especially with regard to specific venues.

In terms of venue, obviously the size of your audience is going to influence your choice of location: There may be a limited number of venues that can handle the number of people you expect to attend your event. But in general, there will often be a need for a decision on whether it is better to try to keep your meeting location low-key and out of the spotlight, or whether you will opt for the more visible security presence at a more high-profile venue.

As we have discussed for many years now, there is a terrorist threat to high-profile Western hotels. While hotel security managers have done a great job of hardening their security to counter this threat, it nonetheless persists, and by simply holding your meeting in a Western hotel you might place your people in a "wrong place, wrong time" situation. Thus, a risk/benefit analysis must be made to determine whether the superior security at a Western hotel is worth the tradeoff that the venue itself could be targeted merely for being a Western hotel. The answer to this question will vary based on the purpose of the meeting, the profile of the attendees, and the country and city in which the meeting will be held.

"Because we've always met there" is not an adequate reason to continue meeting at a specific venue if the assessment is that meeting at the venue presents a risk. Indeed, a long history of meeting at the same location could mean that any actor who poses a threat is also aware of this history and would have ample time to plant a listening device or prepare for an attack before the meeting.

Step 2: Protective Intelligence Assessment

In addition to considering general threats related to your organization, the country and city of the meeting, and the venue, you also need to conduct a granular assessment of any threats to your organization as it pertains to that particular place. Are there people or groups in the place where the meeting will be held that have come to the attention of your organization in a negative way in the past? Protesters, disgruntled customers, angry former employees, or mentally disturbed individuals with an abnormal focus of interest on your organization? Hopefully, your organization maintains a database of such people and groups to assist in this task.

If such people or groups are in the area where the meeting will be held, an assessment should be made of the danger they pose and the likelihood of them discovering your meeting and attempting to disrupt it. The names, information and photos (if available) of such people should be shared with venue security and local law enforcement. If deemed appropriate, meeting attendees should also be briefed about potential threats — especially if there is a chance such individuals approach or confront meeting attendees. In this situation, it is much better for attendees to be forewarned than it is for them to be caught off guard.

If there is a VIP attending your meeting, you should contact their staff to determine if they are bringing security with them or if they expect you to provide appropriate security for them. You will have to coordinate or create a plan for their arrival, a holding or safe room, and contingency plans in case of fire, attack or medical emergency.

In such a case you should also do a protective intelligence assessment on the VIP to see what their threat profile is and if they could be dragging security problems, in the way of protesters, mentally disturbed individuals or even terrorism, to your event. The VIP's security team can be a valuable source of such protective intelligence.

When I was working for a large multinational company, we once had a high-profile CEO of another company come to speak at a large customer event. Not only did our security team have to provide security for the CEO during the trip, but he was also a veritable magnet for mentally disturbed individuals. The CEO's visit was discussed in advance by the local news media and his presence resulted in several mentally disturbed individuals showing up at our event in an effort to contact him.

Step 3: Planning

It is difficult to plan security for an event at a venue without first visiting the venue. This will allow you to assess the security personnel and procedures in place and determine if additional security is needed. Such additional measures may include bomb or technical security countermeasure sweeps. For some larger events, you might have to arrange for additional access control and some sort of magnetometer or pat-down screening for members of the public attending.

Registration and badging are also important access control tools. Many times hotels and convention centers will have a trusted security vendor who can provide additional security officers. It is sometimes possible to coordinate with the local police to hire off-duty officers or even to arrange for on-duty officers to provide extra security for a meeting depending on the location and circumstances.

When looking at the security of a venue it is very important to physically examine all the fire exits and fire control equipment. On many occasions, I have encountered meeting venues with fire exits that were clogged with furniture or other items and therefore impassible, fire doors padlocked shut with a chain, and fire extinguishers that were expended, expired or otherwise not properly charged. Such equipment, including emergency lighting — and if appropriate, backup generators — should be inspected. Fire is a very real killer and should not be ignored, so fire evacuation plans are important.

From a statistical standpoint, a medical problem such as a heart attack is also far more likely to impact a meeting participant than a terrorist attack. Meeting planners should therefore plan for medical emergencies, including medical evacuation in places were modern medical care is not available.

Communications planning is also important. Planners need to ensure they have a way to quickly contact security personnel, key meeting coordinators, transportation companies and local authorities. Depending on the size of the event and the location, radios may prove to be more useful than cellphones. This is especially true in emergency situations that take the cellphone network down or if the cellphone network becomes overloaded as the result of an emergency situation. Backup communication channels should also be planned.

Depending on the threat and the venue, thought should be given to providing a security briefing to conference participants instructing them what to do in the case of a terrorist attack, fire or natural disaster. Security conditions and considerations for participants engaging in events outside of the meeting venue can be discussed. At the very least, event staff should be thoroughly briefed on what to do in the case of such emergencies.

In an event where access control is deemed necessary, it should be maintained for the entire meeting and access control points should not be abandoned after the event begins. A way for access control personnel to signal a problem to security and law enforcement should be established, as should a means of alerting the participants to an active shooter or other urgent security problem.

But access control will not be necessary for every event. Your security plan needs to be measured, appropriately logical and as non-invasive as possible to protect against the threats identified in your assessment.

One other thing that is critical to remember is that security plans must be flexible. It is a rare event that comes off without a hitch, and security plans must be able to adapt to changes and problems that arise. Indeed, it is hoped that the security plan will provide a general guide to respond to unforeseen events.

Security for Meetings is republished with permission of Stratfor."