I want to preface this short post with two caveats
I think the responders in Manchester have done, and continue to do, an incredible job. Not just the emergency services, not just the NHS staff, but everyone who has helped in any way. It’s a clear demonstration of the many supporting the few.
My sincere condolences are with all the families of those killed, and with anyone affected by Monday’s events. I encourage you to dig deep and donate to the appeal fund to help support them through the difficult months and years ahead.
I didn’t know any of the victims or casualties from Monday’s attack, but I did follow one on Twitter. He brought his infectious sense of humour to my news feed. His name was Martyn Hett.
Martyn was 29. Facebook was launched when he was 16, Twitter when he was 18. He, and millions of others (myself included) have grown up not just with ‘IRL’ friends, but a whole network of online friends and acquaintances. Communities for whom sharing the same geography isn’t a factor.
I’ve seen outpourings of grief online from people that never knew Martyn. I’ve also seen those people supporting each other, showing compassion and kindness. The ripples of the incident go far beyond the physical communities within which he moved.
With more of us being connected through social media (or other platforms the internet has to offer), I think this needs to be a factor in how we design emergency response.
The world, our cities, and the people within them are constantly changing. It’s difficult (perhaps impossible) for large organisations to react quickly to every single one of those changes.
My hope is that emergency planners, especially those digital natives who have grown up online like Martyn, continue to challenge current processes, ensure arrangements reflect changes in society and above all, don’t forget that you’re doing this for anyone who is affected by an incident, no matter where they happen to be.
The tl;dr version of this post: don’t forget about the insider threat!
This week I attended the first in a series of three events by the Institution of Civil Engineers entitled Preparing London. This particular event was designed to consider the human threats to infrastructure.
Ok, so maybe not everything worth knowing about cyber risk is summarised in Jurassic Park, but it’s a useful introduction into what happens when the tables are turned and technology which usually helps keep us safe, becomes the risk.
Everything in Jurassic Park is connected. The electric fences, the lighting in the visitor centre, the locks on the doors. When it’s working as planned, this connectivity helps the park’s management maintain an efficient operation and a positive guest experience.
However, such a complex system requires some centralised control. Looking at this through a business continuity lens, this is a clear single point of failure. An inherent risk.
Dennis Nedry exploits his colleagues limited understanding to enact his attack. He uses his tech-savvy advantage to provide cover for him stealing intellectual property, whilst putting lots of people in danger. The ultimate lesson here is that the real monsters aren’t the dinosaurs.
Objects in mirror are closer than they appear.
As well as a light-hearted moment during the dinosaur chase sequence, I think Spielberg also snuck this in as a metaphor for risks manifesting in ways which had not been considered.
Were the Jurassic Park team aware of cyber risk? Yes, there is literally a scene about passwords. I expect a lot of people assume that a good password is all they need for their IT security.
It’s clear they had also considered other risks, and had taken proactive action to control that risk. Electric fences, professional hunters, CCTV and motion sensors and the attempt at all-female genetic engineering are just some of the risk controls in the film.
But had the team considered the possibility that an employee would want to hold the park to ransom for personal gain? Could they have identified the vulnerability of the computerised control? Could they have done more in advance to protect the systems from malicious attack?
Dennis, our lives are in your hands.
Early in the film there are hints at Nedry’s personal financial difficulties. Later he mumbles to himself about test runs of his embryo heist.
John Hammond, the park owner recognises the power that Nedry has.
There were clearly signals which the team missed and knowledge which is combined, could have allowed an intervention before he got the opportunity to shut down the park.
Clever girl / I know this.
Just as the team hadn’t anticipated an insider threat, Nedry wasn’t expecting a tech-savvy teenager to thwart his plan.
Just when it looks like the raptors will get into the control room, Lex (the park owner’s granddaughter) recognises the Unix system and takes maters into her own hands.
The actual interface may be debatable (in researching (yes, research!) this post I’ve found that it was technically available, but I’m doubtful that a school student would have been aware), but it comes as no surprise that kids have a natural affinity with the technology that adults have to think about.
Side note: Provided the right precautions are in place to prevent unauthorised use, user friendly systems aren’t just a productivity win; they help prevent people finding work-arounds or backdoors.
Life finds a way.
With the ever increasing access to, and pervasiveness of the Internet and smart devices, Jurassic Park remains relevant today.
I’d argue that we’ve already reached a point where complete understanding of system interdependencies is impossible. Our societies and the technologies used are just too complex. However, we can continue to challenge our assumptions, keep our risk assessments grounded in reality and take action in advance to mitigate that risk.
It’s also a reminder that physical and IT security are just parts of the puzzle when it comes to risk management. Solutions are also required, sadly, to prevent against malicious attack by either insiders or outsiders.
How do we know that decisions taken in an emergency are appropriate? Ensuring appropriate checks and balances can help reduce the influence of groupthink or any other of these decision making biases.
In high stress situations, when the stakes are high, like in an emergency, could emergency managers could do to support those making the strategic decisions? Do they understand the complexity of the issues? Have they considered all of the options? Have they thought through all of the ramifications of their decisions? Are their decisions justifiable and defensible?
Back in 2014 I binge-watched a TV series called The Newsroom, which shows what goes on ‘behind the scenes’ to make a fictional American news programme.
In the second season, the group of journalists close in on a story relating to the use of chemical weapons by the US army in Pakistan. Whilst the team are confident in the authenticity of the material, they don’t want to run with the story until they are absolutely sure.
Enter the Red Team. A group of researchers and producers deliberately isolated from the investigation so they can later examine the facts and determine whether to air the story.
Here’s the trailer for Season 1 of The Newsroom
What if we did something similar in emergency management? This is how it could work:
There would be no change to the nominated individuals who are already ‘on-call’ to provide strategic decision making (for simplicity, let’s call them the Blue Team)
Another set of individuals would be identified as the Red Team
Both teams require the same level of training, briefing and access to information
In addition, the Red Team needs an awareness of the psychological factors which influence decision making
The Red Team can only be summoned at the request of the Blue Team – this avoids interference or overstepping their role of critical friend
Should the Blue Team come up against a problem, or not reach agreement on a course of action, the Red Team could be called to offer a view, or to mediate between differing perspectives. Having maintained a distance, the Red Team would poke holes and identify the risks and bugs that insiders might have missed.
There are a number of drawbacks to implementing a Red Team approach. These include the increased resource required to staff dual roles. Culturally, it’s new, and there would undoubtedly be some reticence to decisions being challenged where they previously haven’t been.
I recognise these practicalities may make Red Teaming impossible to achieve in reality. However, the process could be useful in exercises or in thinking about strategic decision making processes.
As noted in my last post, this might not yet be a fully formed idea, and I’d be interested in any thoughts that colleagues might have about whether they have seen this approach used, or could see any reasons that it would not be something to experiment with.
One of the things I find most interesting about the Timehop app on my phone is how much my style of posting (especially to Facebook) has changed over 10 years. The melodrama is embarrassing and entertaining in equal measure. It’s interesting to see how what I was prompted to post about has changed. (Notice how I have deliberately stayed away from labelling this change as growth!)
The last blog post I wrote was waaaay back in August. I was thinking about the reasons for this, and it’s a combination of two things
Too many boxsets to catch up with on Netflix – seriously, if you haven’t seen Designated Survivor you are missing out! It’s prefect kick-back-and-relax telly for emergency managers!
A feeling that I was loosing, or at the very least, confusing my own voice with my work one. As the lead for “external relations and digital” for London Resilience, I started to find it difficult to have enough to say that was notably different from what I was already saying at work.
I had some pretty strong views back in the day. You may remember such blog posts as “Exercises are pointless” and “CBRN is elitist“. Since then (maybe because I’d already vented?) I started to find I didn’t feel as passionately about things anymore. For a while I felt I was becoming disinterested, but realised it was more about feeling I didn’t have anything new to add to the conversation.
In 2017, I want to re-establish my voice and blog. This might sound grandiose, even pompous, but I’ve found blogging helps me solidify proto-ideas. The process of writing something down means wider reading, consulting different sources, opening myself up to new ideas and discussing with colleagues.
I guess the other aspect is that the nature of being online has changed too. Is a blog the best medium? Should I, in fact, be using Medium? What’s the relationship to other platforms like Twitter and LinkedIn? These are all things I’ll no-doubt continue to unravel throughout the year. As with Timehop, I hope that one day I’ll be able to look back through my blog and see how my thoughts have evolved and what they have been shaped by.
So what is likely to follow in 2017? I think it would be unwise to commit to a regular schedule of blogging, I don’t want to be a slave to the blog. However, expect posts about the things that interest me, that frustrate me, that could be better. I’ll try not to moan too much, it’s all intended to be constructive and to help me (and perhaps others) improve what we do.
Best wished for 2017, and remember, if you want to get in touch hit me up @mtthwhgn on Twitter – I’ve love to have a conversation not just air my own thoughts.
The Olympics is a bit like an alien invasion. The organising committee speak their own language and expect things to happen in ways which might be unfamiliar to locals. Even the London 2012 Olympic mascots looked a bit other-worldly.
With a touch of nostalgia, I thought I’d take a look back at the emergency planning considerations four years ago, and how things have changed just days from the start of Rio 2016.
I joined London Resilience with about 18 months to go. Planning and preparation for the Games was already at an advanced stage but there was still lots to do. I spent much of that year providing assurances to the Mayor, LOCOG (the Olympic Organising Committee) and Government that organisations in London were ready.
From the massacre in Munich in 1972, bombings in Spain just ahead of the 1992 Barcelona Games to the Atlanta bombing in 1996; the history of the Games is punctuated with incidents. In London, the bombings following the Host City announcement in July 2005 provided a sombre backdrop and framed much of the subsequent planning.
News from Brazil this week of problems with the accommodation for athletes, sadly, doesn’t surprise me. I visited the Olympic Park many times, and can distinctly remember the unfinished 1970’s spanish holiday resort vibe that I got from our own athlete’s facilities, even quite late in the process. In contrast, I also remember being in awe of the late Zaha Hadid’s Aquatics Centre!
Many of the risks we had planned for didn’t occur (for example, the importation of African Horse Sickness or an unconventional attack on a crowded place). Going through the planning process made sure all responders knew their roles and how members of the public would be supported. As well as planning together, a whole series of exercises helped confirm the validity of arrangements in place.
It wasn’t just the emergency arrangements which were practised; I was fortunate enough to attend one of the dress rehearsal events for Danny Boyle’s Opening Ceremony. This is an experience that I will never forget! (As an aside, I’d also really recommend the Imagine: documentary on the Opening Ceremony!)
For 61 days I managed a control room where partners worked 24/7 so that in the unlikely event of an emergency, structures were in place to respond. We were involved in the response to 154 incidents and the ability to react early meant the majority were small-scale and did not escalate. Thankfully there were a number of incidents which I didn’t have to get involved with…and which we hadn’t anticipated!
One of the big challenges which sticks with me from 2012 was what was referred to as ‘The Last Mile’, and ensuring shared understanding of responsibilities in the gap between public transport hubs and sporting venues.
Hosting the Olympics carries similar challenges regardless of Host City. Bringing in tens of thousands of athletes, many more spectators and officials (who will likely be unfamiliar with local arrangements), and putting the city front-and-centre in the eyes of the media pose challenges.
The Games this summer in Rio occur in a world which has faced recent attacks in public spaces (a sadly extensive list) and one which continues to experience internationally significant outbreaks of disease like Ebola and Zika.
Whilst there are undoubtedly opportunities to share learning and experiences between Host Cities, there are also so many differences in how the cities are administered, the impact the Games has as well as the potential for change in the four years between events (live streaming video will put far more pressure on telecoms networks in Rio for example).
Like an alien abduction, hosting the games is something you can only really understand once you’ve experienced it (or so I’m told!)!
Best of luck to colleagues in Brazil – I’ll be watching!
Coordinated by London Fire Brigade, the exercise simulated the collapse of a building in central London punching into an underlying tube tunnel as an underground train was passing. Check out the @LDN_prepared Storify below for a collection of tweets from participants as the exercise progressed.
Since 2014 my involvement, as workstream lead for the Command Post element of the exercise was to make sure that participating organisations achieved their own objectives as well as the overarching objectives of the whole exercise. This meant that, in addition to emergency response and rescue, the scenario included strategic consideration of
disruption to transport services, utilities and the environment
distribution of casualties and fatalities across and outside of London
requests for national and international support and
considering the information and long term support provided the public, businesses and to individuals and communities affected.
Did I follow my own advice?
I’ve blogged previously about how, if not managed appropriately, the value of exercises can be limited. If I wanted Unified Response to be different, I needed to follow my own advice, which boiled down to six key points
Use locations you would use in reality
Make it no notice as far as possible
Draw participants from what’s available on the day
Don’t let the scenario win out over objectives
Speaking of objectives – have lots of specific ones rather than sweeping generalities
Evaluate. Evaluate. Evaluate.
During the four days of the exercise many lessons were learned dynamically. Undoubtedly there will be lots more learning to come out through the debrief processes. It’s not the intention of this post to debrief the exercise, but to revisit the points from my earlier blog. Did I follow my own advice? In hindsight, have I got any additional thoughts on getting the best return on investment from exercises?
Objectives and Scenario Fidelity
Developing SMART style objectives rather than “to exercise our major incident response” became my own personal crusade for a while at the start of the planning process. In the long-run this made developing the scenario easier and we were able to tie all injects (nearly 2000) to objectives, which will support ongoing evaluation.
From the outset my starting point was to develop the highest level of fidelity as possible. Over the past year I found myself continually asking “but what would happen in reality?” or “If this incident took place today what would actually happen?”
It’s easy when planning something on this scale to let creativity get the better of you. However it’s a fine balance and it wasn’t always possible to simulate reality without a consequential effect on the ability to meet exercise objectives.
For instance, one objective related to the activation and integration of international specialist rescue teams, but the scenario also included a ruptured water main and sewer which provided grounds for participation for a wide range of organisations. In reality, the presence of these hazards would have impacted on the ability to implement the technical rescue (as responder safety has to be a consideration) however in the exercise, water and sewage were notional.
Where there were simultaneously elements of live and notional play, there were challenges in how well they meshed together. Further to this, many organisations chose to use real-world conditions alongside exercise scenario. In addition to the incident at Waterloo, real-life traffic accidents and train delays all added to the complexity and realism. This is the first time that I’ve seen, first-hand, this attempted in an exercise. The closest I’ve seen are Emergo exercises which use real hospital bed states and staffing to determine capacity challenges for mass casualty management. Limited to one organisation it’s difficult enough to cross-check the impact of the scenario on the real world, but with so many participants this became very complex.
Locations, Dates and Times
This wasn’t always possible due to operational conditions or extent of participation, but by and large venues used were those which would be used in reality. This means that anything learned relating to the operation of those facilities is valuable and can be actioned. Not all of the learning is technical in nature. Softer, skills-based aspects (for instance, teleconference etiquette) is something which can develop with repeated practice. Familiarity with processes, technology and each other in non-incident conditions will improve crisis response.
In order to make sure that decisions taken at a strategic level were appropriate it was necessary to warn senior representatives of the exercise dates. However, I strongly resisted demands to schedule meetings in advance. Establishing the ‘battle rhythm‘ is a key incident management skill. If we’d pre-planned meetings the learning opportunity would be reduced.
I also made sure, by having a relatively small but empowered planning group, that the integrity of the exercise was preserved. Nobody involved in exercise play, not even my own management, knew the full extent of the scenario. This meant unanticipated questions seeking assurance that the exercise would be sufficiently challenging. Such assurance was provided by exploring parallels to past incidents and exercises with subject matter experts to develop the most comprehensive exercise I have been involved in. (We went as far as developing complete documentation for a fictitious construction company and producing staff records for fictional injured responders).
Participants and Advance Notice
As mentioned already, some representatives were essential and therefore did have prior notice. However, even when they knew the date of the exercise, they did not know anything about timings or scenario progression. There were short-notice requests and demands to be in multiple places at the same time, as there would be in reality.
Arguably these issues could have been avoided through advance notice, but then we would have been generating a false environment and actual learning about how to resolve those problems would not have been identified.
The ability to prioritise and dynamically allocate resources is another crisis management skill, one which many of the participants in the exercise had the opportunity to practise.
What else did I learn?
I think my own personal learning relates more to the role of exercise control during an exercise of this scale.Having a good team with all the necessary expert knowledge and most importantly a problem-solving approach is absolutely essential.
If there was one aspect that I would look to improve next time, it would be to ensure communication between players and facilitators. So my seventh rule for exercise planning, would be to consider structures for exercise control earlier in the planning phase.
Synchronising an exercise with 30 different locations, 85 organisations and over 4000 participants was always going to be a challenge. Over the course of the exercise I spent more than 106 hours in Exercise Control, managing command post activity, resolving issues, creating simulated material and ensuring ‘my activity’ kept in step with all other exercise activity. The responsiveness of my Exercise Control team to roll with decisions made in exercise play was crucial, but this could have been made easier with a more complete picture of the response.
There were some challenges along the way, but I thoroughly enjoyed Exercise Unified Response. Whilst I hope we never have to do it for real, the learning that will be taken from it will improve emergency responses in London and further afield. As my own reflections solidify I’m sure there will be more posts on Unified Response, but if you do have questions please get in touch.
It’s cliche, but recovery starts at the moment that something bad happens. If you fall down and break your leg, nobody says “oh, just wait a bit before getting medical attention”; you get the help that you need when you most need it.
In a disaster, there is almost unanimous agreement that recovery starts as soon as the incident happens. I fundamentally agree with this, and in a broad sense even response activities can be classified as ‘recovery’ interventions of some sort. However, in the typically process-dominated world of emergency management (in the UK at least) this mantra that recovery starts at the outset of the incident is, in my opinion, both misinterpreted and over simplified.
Let’s revisit the broken leg scenario – yes you get help, but you don’t skip straight to physiotherapy…you need time to heal first.
As I’ve been working on the planning for Exercise Unified Response I’ve been frustrated by comments from colleagues insisting that because we have this mantra, that there should be recovery meetings from the outset. On one hand I agree with the philosophy, but on the other hand in practical terms surely you need to understand what it is you’re recovering from before you try to attempt recovery?
In my experience it’s rare that the precise impact of an incident is understood from the outset. Indeed, the likelihood of cascading failures and secondary incidents means that in some circumstances the initial incident isn’t even the biggest concern from a recovery point of view.
Provided that response actions are effective and appreciative of longer-term prognosis, I think you can afford to take a breath before formally implementing structures contained within your long-term recovery plan. In the emergency phase lots of decisions need to be taken in sub-optimal conditions. It’s surely doing a disservice to the objective of long-term recovery to take decisions which have wide reaching implications without a more well developed understanding?
I’m not advocating ‘not doing recovery’, if anything it’s one of the most important aspects. I’m just saying do we need to rush into recovery at the same speed as emergency response, or should it be more considered? Would it help to view everything that happens after the incident as ‘recovery’, but that recovery needn’t rely on the activation of a specific plan? That sometimes the rigidity of the structures that have been developed can be a constraint?
There you have it, my first blog in ages, and I’m posing what I expect is a fairly controversial question! I’d be interested in your views about the practicality of when recovery can actually start!