1 00:00:00,900 --> 00:00:31,998 (MUSIC) 2 00:00:31,998 --> 00:00:35,201 >>:The insider threat is one of the most complex challenges 3 00:00:35,201 --> 00:00:38,705 facing organizations in law enforcement alike. It is 4 00:00:38,705 --> 00:00:41,775 defined as one or more individuals with the access or 5 00:00:41,775 --> 00:00:44,811 inside knowledge of an organization that would allow 6 00:00:44,811 --> 00:00:46,880 them to exploit the vulnerabilities of that 7 00:00:46,880 --> 00:00:49,449 entity's security or facilities with the intent to 8 00:00:49,449 --> 00:00:53,253 cause harm. This video examines three manifestations 9 00:00:53,253 --> 00:00:56,489 of the insider threat - terrorism, where an insider 10 00:00:56,489 --> 00:01:00,193 attacks civilians for a political ideology, workplace 11 00:01:00,193 --> 00:01:03,096 violence and a coworker who commits a violent act in the 12 00:01:03,096 --> 00:01:07,133 office, and finally, the multifaceted insider threats 13 00:01:07,133 --> 00:01:10,503 of cybersecurity, both those looking to penetrate network 14 00:01:10,503 --> 00:01:13,506 security and those who open vulnerabilities by not 15 00:01:13,506 --> 00:01:17,043 following protocol. We begin by looking at counterterrorism 16 00:01:17,043 --> 00:01:20,313 and how a political ideology can drive an insider toward 17 00:01:20,313 --> 00:01:24,317 radicalization in plain sight. For instance, San Bernardino, 18 00:01:24,317 --> 00:01:28,354 where, in 2015, two gunmen pledging allegiance to ISIS 19 00:01:28,354 --> 00:01:31,591 attacked co-workers at an office Christmas party. Forty 20 00:01:31,591 --> 00:01:34,327 were wounded or killed in the attack, which was foreshadowed 21 00:01:34,327 --> 00:01:36,963 by several workplace arguments regarding religion and 22 00:01:36,963 --> 00:01:40,834 politics. The couple exhibited many signs of radicalization, 23 00:01:41,034 --> 00:01:44,404 obtaining media by al-Qaida and ISIS, confronting 24 00:01:44,404 --> 00:01:47,073 co-workers about their faith and purchasing more than 25 00:01:47,073 --> 00:01:51,311 $30,000 in weapons. The attack resulted in a deadly shootout 26 00:01:51,311 --> 00:01:53,847 with police on the highway. And a sweep of the area 27 00:01:53,847 --> 00:01:56,683 revealed that the couple had intended to use improvised 28 00:01:56,683 --> 00:02:00,153 explosives in the attack. What can we do to prevent attacks 29 00:02:00,153 --> 00:02:03,256 like this in the future when an insider has voiced radical 30 00:02:03,256 --> 00:02:06,659 ideations and begins to intimidate colleagues? We talk 31 00:02:06,659 --> 00:02:09,729 to experts about the signs of radicalization and the use of 32 00:02:09,729 --> 00:02:12,966 reporting suspicious behavior to law enforcement. One of 33 00:02:12,966 --> 00:02:16,135 those experts is Ed Davis, who was commissioner of the Boston 34 00:02:16,135 --> 00:02:18,771 Police Department when they faced a terror attack of their 35 00:02:18,771 --> 00:02:20,340 own just two years earlier. 36 00:02:20,640 --> 00:02:23,776 >>:One of the things that we recognized after sort of doing 37 00:02:23,776 --> 00:02:30,049 a post-mortem on the Tsarnaev investigation was that he - 38 00:02:30,049 --> 00:02:34,053 Tamerlan had acted out in the mosque in Cambridge. On two 39 00:02:34,053 --> 00:02:38,124 different occasions, he had objected and had arguments 40 00:02:38,124 --> 00:02:42,695 with the imam about what the imam was suggesting. The - he 41 00:02:42,695 --> 00:02:46,533 wanted the imam to be more radical, to be more in 42 00:02:46,533 --> 00:02:51,271 alignment with Sharia law and less of Western in the way 43 00:02:51,271 --> 00:02:55,241 that he was teaching Islam. And so that's a warning when 44 00:02:55,241 --> 00:02:58,044 you see somebody in the congregation standing up and 45 00:02:58,044 --> 00:03:03,716 demanding things that might indicate extremism. If that 46 00:03:03,716 --> 00:03:06,519 imam had felt comfortable enough with us to call us and 47 00:03:06,519 --> 00:03:09,222 say, I don't know what to do with this guy. You know, they 48 00:03:09,222 --> 00:03:13,159 eventually ejected him from the mosque. If, at some point, 49 00:03:13,159 --> 00:03:16,162 we had heard about that, it may have reactivated the FBI 50 00:03:16,162 --> 00:03:19,265 investigation. And whether it was his family or the 51 00:03:19,265 --> 00:03:22,168 community around him, if someone had reached out to us, 52 00:03:22,168 --> 00:03:24,537 it might've changed the whole trajectory of this incident. I 53 00:03:24,537 --> 00:03:26,773 think people should realize that police get calls like 54 00:03:26,773 --> 00:03:31,411 this all the time reporting a fear or something that they - 55 00:03:31,411 --> 00:03:33,980 that's concerning them. We would much rather check that 56 00:03:33,980 --> 00:03:36,916 out and have it lead to nothing than not get the call 57 00:03:36,916 --> 00:03:37,951 and have an incident occur. 58 00:03:38,251 --> 00:03:41,287 >>:When it comes to insider threat and when it comes to 59 00:03:41,287 --> 00:03:45,992 counterterrorism, we can and should suffer false positives. 60 00:03:46,526 --> 00:03:52,865 Shutting down nonviable paths or proving the null is just as 61 00:03:52,865 --> 00:03:57,003 valuable or sometimes more valuable than, you know, being 62 00:03:57,003 --> 00:03:59,238 on the scent of the truth and in fact can 63 00:03:59,238 --> 00:04:00,873 help you get there faster. 64 00:04:00,873 --> 00:04:03,176 >>:If I could say anything that you can glean and you can 65 00:04:03,176 --> 00:04:06,946 learn by providing information that turns out to be false, if 66 00:04:06,946 --> 00:04:08,848 you will, is that you're building the relationship, 67 00:04:08,848 --> 00:04:11,985 right? You're learning a protocol that you may not have 68 00:04:11,985 --> 00:04:14,787 been familiar with prior so that when you do have another 69 00:04:14,787 --> 00:04:17,824 insider threat, then you know who to call, and you know how 70 00:04:17,824 --> 00:04:20,793 to make sure that information is getting to the right people 71 00:04:20,793 --> 00:04:23,496 quickly. That's not something people do every day. They're 72 00:04:23,496 --> 00:04:27,967 seeing something that makes them say, I need to pass some 73 00:04:27,967 --> 00:04:31,004 information on. History shows us that in these 74 00:04:31,004 --> 00:04:34,774 active-shooter situations, the insider threat is real, and it 75 00:04:34,774 --> 00:04:38,544 can have global ties and global links, as we found in 76 00:04:38,745 --> 00:04:43,883 2009 at Fort Hood. Major Nidal Hasan, who was well-known - 77 00:04:43,883 --> 00:04:47,053 and then afterward, as we found, had been communicating 78 00:04:47,053 --> 00:04:51,324 overseas with an imam, Anwar al-Awlaki. Prior to that, the 79 00:04:51,324 --> 00:04:54,060 Department of Defense also had a lot of pre-incident 80 00:04:54,060 --> 00:04:58,865 indicators from people he had been talking to and presenting 81 00:04:58,865 --> 00:05:00,700 to - other soldiers who said, this individual's 82 00:05:00,700 --> 00:05:01,534 radicalizing. 83 00:05:01,834 --> 00:05:05,071 >>:As we found in the 2009 Fort Hood shooting, even a 84 00:05:05,071 --> 00:05:08,074 United States Army base is not immune from the insider 85 00:05:08,074 --> 00:05:11,878 threat. Though deemed an act of workplace violence, the 86 00:05:11,878 --> 00:05:15,214 gunman in this case exhibited many signs of radicalization 87 00:05:15,214 --> 00:05:17,183 that highlights the relationship between 88 00:05:17,183 --> 00:05:19,585 counterterrorism and the insider threat. 89 00:05:20,420 --> 00:05:22,955 >>:Yeah, I see from my experience - yeah, there's 90 00:05:23,356 --> 00:05:27,160 some similarities between, you know, a counterterrorism 91 00:05:27,160 --> 00:05:31,431 threat and a threat, you know, within a company from an 92 00:05:31,431 --> 00:05:37,036 insider. And I think a key way to look at this is that this 93 00:05:37,036 --> 00:05:40,973 person is deceiving those around him. I know there's a 94 00:05:40,973 --> 00:05:46,646 lot of reluctance of employees about maybe turning in, you 95 00:05:46,646 --> 00:05:49,182 know, one of their fellow employees, somebody that sits 96 00:05:49,182 --> 00:05:52,351 in the next cubicle to them. But the way you have to frame 97 00:05:52,351 --> 00:05:55,822 that in your mind is, this person is deceiving 98 00:05:55,822 --> 00:05:57,857 everybody - to include you. 99 00:05:57,857 --> 00:06:03,496 >>:The problem was so much simpler a couple of decades 100 00:06:03,496 --> 00:06:05,098 ago. And I think probably no national security issue has 101 00:06:05,098 --> 00:06:10,136 undergone such significant, profound and complex change. 102 00:06:10,136 --> 00:06:12,872 And I think in today's threat environment, the idea of 103 00:06:13,306 --> 00:06:16,709 separating the insider threat or the cyber threat from the 104 00:06:17,009 --> 00:06:21,280 insurgency threat or the anarchist threat is impossible 105 00:06:21,280 --> 00:06:24,784 to do. They all kind of roll up into one big, 106 00:06:24,784 --> 00:06:28,755 really-difficult-to-understand-and-to-deal-with threat. 107 00:06:28,755 --> 00:06:31,357 >>:People are looking for answers. They - they're - they 108 00:06:31,357 --> 00:06:34,627 feel uncertain because of new headlines that pop up every 109 00:06:34,627 --> 00:06:37,864 week of a - you know, a mass shooting here or an incident 110 00:06:37,864 --> 00:06:40,833 occurring there. People want to know what to do in their 111 00:06:40,833 --> 00:06:43,803 own business environment. They want to know what to do when 112 00:06:43,803 --> 00:06:46,572 they're at the mall. And so talking through that with 113 00:06:46,572 --> 00:06:50,176 people is extremely important. And I think the See Something, 114 00:06:50,176 --> 00:06:54,480 Say Something is the start of a very important process that 115 00:06:54,480 --> 00:06:56,916 people can learn to make themselves and their families 116 00:06:56,916 --> 00:06:57,250 safer. 117 00:06:57,817 --> 00:07:01,087 >>:DHS' See Something, Say Something campaign is an 118 00:07:01,087 --> 00:07:04,323 effort to enable and empower civilian stakeholders to 119 00:07:04,323 --> 00:07:07,360 report suspicious activity that may represent a concern. 120 00:07:07,627 --> 00:07:11,564 As Jaeson Jones discussed, in the lead up to the 2009 Fort 121 00:07:11,564 --> 00:07:14,233 Hood shooting, there were many signs of potential 122 00:07:14,233 --> 00:07:17,904 radicalization as Major Nidal Hasan spoke openly with fellow 123 00:07:17,904 --> 00:07:20,907 soldiers about his grievances with the United States 124 00:07:20,907 --> 00:07:23,876 government. Had these concerns been reported to the proper 125 00:07:23,876 --> 00:07:26,345 authorities, it's possible this event could've been 126 00:07:26,345 --> 00:07:29,415 prevented. The lessons learned from this case illustrate that 127 00:07:29,415 --> 00:07:31,551 many tenets of counterterrorism may be 128 00:07:31,551 --> 00:07:34,821 applied to issues such as workplace violence, as the 129 00:07:34,821 --> 00:07:37,623 office is one of many smaller environments with a broad 130 00:07:37,623 --> 00:07:41,360 exposure to an individual's behavioral base line. What can 131 00:07:41,360 --> 00:07:43,329 be learned from the See Something, Say Something 132 00:07:43,329 --> 00:07:45,965 campaign that can be utilized in the workplace? 133 00:07:46,265 --> 00:07:49,569 >>:DHS has a great program called See Something, Say 134 00:07:49,569 --> 00:07:53,105 Something. It's linked to SAR - suspicious activity 135 00:07:53,105 --> 00:07:56,209 reporting - all over the United States within local, 136 00:07:56,209 --> 00:07:58,878 state and federal governments. And the program has proven to 137 00:07:58,878 --> 00:08:02,415 be successful. But the key for an insider threat is to make 138 00:08:02,415 --> 00:08:06,052 sure that that information is getting to those folks who can 139 00:08:06,252 --> 00:08:09,121 analyze that information and then act upon it. And what do 140 00:08:09,121 --> 00:08:11,257 we always hear afterward, right? We hear that there was 141 00:08:11,257 --> 00:08:14,660 an indicator. Somebody made an outcry, provided information 142 00:08:14,660 --> 00:08:17,763 to HR or to a supervisor, but that information was never 143 00:08:17,763 --> 00:08:20,433 acted upon. And then if we look at the pathway to 144 00:08:20,433 --> 00:08:24,303 violence as to how fast they begin once they go overt, we 145 00:08:24,303 --> 00:08:27,673 aren't acting fast enough with the information that we do get 146 00:08:27,673 --> 00:08:31,444 when either it be a supervisor or law enforcement that gets 147 00:08:31,444 --> 00:08:33,613 the information. And that's an important piece of it. That's 148 00:08:33,613 --> 00:08:36,115 what we're trying to get to - right? - is preparedness. How 149 00:08:36,115 --> 00:08:38,885 can you prevent these incidents? How can you protect 150 00:08:38,885 --> 00:08:42,722 the folks, mitigate the problem, respond effectively 151 00:08:42,722 --> 00:08:46,692 and at the same time, be able to recover as, you know, an 152 00:08:46,692 --> 00:08:49,061 individual, an organization, as a community from these 153 00:08:49,061 --> 00:08:52,265 events? Yeah, the insider threats are a real problem - 154 00:08:52,265 --> 00:08:56,369 and it's learning that pathway to a new tradecraft of 155 00:08:56,702 --> 00:08:57,870 collecting information. 156 00:08:57,870 --> 00:09:01,107 >>:The pathway to violence - and a simplified form of that 157 00:09:01,107 --> 00:09:04,877 has four major components to it. The first is the ideation 158 00:09:04,877 --> 00:09:07,613 or the thought about using violence to address a 159 00:09:07,613 --> 00:09:11,417 perceived or real grievance or provocation - high base-rate 160 00:09:11,417 --> 00:09:15,154 behavior. Most of us have those reactions. Few of us 161 00:09:15,154 --> 00:09:18,424 actually act on it. The next step in the evolution of the 162 00:09:18,424 --> 00:09:22,628 risk is a planful approach - so engaging and planning 163 00:09:22,628 --> 00:09:25,932 around it - not just, I'm mad at the boss, I feel betrayed 164 00:09:25,932 --> 00:09:29,335 by my co-workers, but, they need to pay for it, and now, 165 00:09:29,335 --> 00:09:33,306 how? So I start thinking, do I want to embarrass or shame 166 00:09:33,306 --> 00:09:35,441 them? Do I want to cause physical damage? Do I want to 167 00:09:35,441 --> 00:09:39,645 sabotage IT systems? Do I want to use physical violence? 168 00:09:39,645 --> 00:09:41,647 There's a whole set of behaviors that go along with 169 00:09:41,647 --> 00:09:45,584 each of those stages that tend to be observable to others, or 170 00:09:45,584 --> 00:09:47,320 at least, there's a reasonable likelihood that they're 171 00:09:47,320 --> 00:09:50,856 observable to others. It may not be illegal behavior. It 172 00:09:50,856 --> 00:09:54,393 may not be, by itself, disruptive behavior, but it 173 00:09:54,393 --> 00:09:57,063 stands out as a deviation from the norm. 174 00:09:57,997 --> 00:10:00,099 >>:Yeah, it's a challenge, right? I mean, because you 175 00:10:00,099 --> 00:10:04,437 want to do the right thing, but at the same time, not give 176 00:10:04,437 --> 00:10:07,440 up information on someone who, you know, probably just trying 177 00:10:07,440 --> 00:10:09,141 to voice their concerns or some issues 178 00:10:09,141 --> 00:10:10,343 that they're having. 179 00:10:10,343 --> 00:10:12,912 >>:People, your co-workers - you don't want to tattle on 180 00:10:12,912 --> 00:10:16,082 them. That saying's not only for, you know, gang members. 181 00:10:16,082 --> 00:10:18,317 You know, don't snitch. You know, you always hear that 182 00:10:18,584 --> 00:10:22,254 phrase, you know, out there. Yeah, co-workers don't want to 183 00:10:22,254 --> 00:10:24,123 get somebody in trouble because, you know, they don't 184 00:10:24,123 --> 00:10:27,393 want to get them fired, you know, from their livelihood 185 00:10:27,393 --> 00:10:31,163 and then things like that. But things should be reported up. 186 00:10:31,163 --> 00:10:34,233 And I think it starts at the organization level of 187 00:10:34,233 --> 00:10:37,169 fostering that positive environment to see, hey, yeah, 188 00:10:37,169 --> 00:10:40,606 report it, and let's look into it. How is that organization 189 00:10:40,606 --> 00:10:41,540 going to deal with that? 190 00:10:41,540 --> 00:10:43,342 >>:Here's the background of that. If you know a piece of 191 00:10:43,342 --> 00:10:45,344 information, you don't know what someone else knows, 192 00:10:45,344 --> 00:10:48,381 right? There may have been a prior incident with that 193 00:10:48,381 --> 00:10:50,483 individual, and that's why it's important to report these 194 00:10:50,483 --> 00:10:53,686 things to your - to leadership within your organization so 195 00:10:53,686 --> 00:10:55,788 that we can try to mitigate and prevent these problems. 196 00:10:56,322 --> 00:10:59,225 >>:What we're asking people to do is to share observations 197 00:10:59,225 --> 00:11:02,595 about relatively small subsets of behavior because we've 198 00:11:02,595 --> 00:11:05,464 learned from experience that it's unlikely that somebody - 199 00:11:05,464 --> 00:11:08,834 any one person will be in a position to know everything 200 00:11:08,834 --> 00:11:11,904 about a circumstance. So what that means is that we're 201 00:11:11,904 --> 00:11:14,306 asking people to share information about things that 202 00:11:14,306 --> 00:11:17,443 will not, in fact, turn out to be highly problematic. And we 203 00:11:17,443 --> 00:11:20,112 need for people to know that's OK and that's not going to 204 00:11:20,112 --> 00:11:23,282 result in adverse actions that aren't merited. That doesn't 205 00:11:23,282 --> 00:11:26,452 involve just reporting. It involves taking the steps that 206 00:11:26,452 --> 00:11:30,856 are within a person's purview, within their skillset, to deal 207 00:11:30,856 --> 00:11:34,126 with themselves. Now, I don't mean by themselves, but take 208 00:11:34,126 --> 00:11:37,463 initial steps. The example I often use is, let's say we've 209 00:11:37,463 --> 00:11:40,032 got a door that's being left open, propped open through the 210 00:11:40,032 --> 00:11:42,935 day. It's all well and good that somebody keeps reporting 211 00:11:42,935 --> 00:11:45,438 that, but it's also important to go and shut the door. 212 00:11:45,771 --> 00:11:47,973 >>:I got my own personal experience with that. One of 213 00:11:47,973 --> 00:11:52,745 the most famous and damaging spies in U.S. history was Ana 214 00:11:52,745 --> 00:11:55,981 Montes. I worked on the same floor as Ana Montes in the 215 00:11:55,981 --> 00:12:00,719 DIA. I passed her every day. She was a very good analyst. 216 00:12:02,621 --> 00:12:06,025 And I personally bear responsibility for having her 217 00:12:06,025 --> 00:12:10,062 read into some of the darkest deepest blackest programs we 218 00:12:10,062 --> 00:12:13,766 had because she was the one person that really understood 219 00:12:13,766 --> 00:12:17,603 Cuban. Now we know why. But she understood it. And 220 00:12:18,003 --> 00:12:21,273 everybody felt the same way about her - good analyst but 221 00:12:21,273 --> 00:12:24,610 there's something wrong here. But nobody, including myself, 222 00:12:24,610 --> 00:12:26,712 wanted to go to security and say, you know, you really 223 00:12:26,712 --> 00:12:27,780 ought to take a look at her. 224 00:12:28,114 --> 00:12:33,285 >>:I didn't work exactly near her, but I was - I worked 225 00:12:33,285 --> 00:12:37,490 around her. And I worked with her on several projects over 226 00:12:37,490 --> 00:12:41,760 the course of probably 10 years. I never really 227 00:12:41,760 --> 00:12:46,165 suspected that she would have been a spy. I suspected that 228 00:12:46,765 --> 00:12:50,536 she had many, you know, issues, none that would have 229 00:12:50,536 --> 00:12:52,938 impacted, you know, her performance or work or 230 00:12:52,938 --> 00:12:56,175 anything like that. So it didn't really cause me a lot 231 00:12:56,175 --> 00:13:00,646 of concern. But it's a case of, somebody even within the 232 00:13:00,646 --> 00:13:02,915 intelligence community with a tremendous amount of 233 00:13:02,915 --> 00:13:07,219 operational experience really never took, you know, notice 234 00:13:07,219 --> 00:13:11,323 of the spy who did a reputable harm to the U.S. government 235 00:13:11,323 --> 00:13:14,326 and our policies in - all over South America. 236 00:13:14,927 --> 00:13:19,231 >>:You know, denial, you know, is a key aspect of you not 237 00:13:19,598 --> 00:13:26,005 reporting it because you can't imagine it happening to you in 238 00:13:26,005 --> 00:13:30,643 your workplace. And that, again, always has to be 239 00:13:30,643 --> 00:13:34,246 considered is your personal denial that something is 240 00:13:34,246 --> 00:13:35,014 actually occurring. 241 00:13:35,915 --> 00:13:42,288 >>:Vigilance by co-workers, supervisors and so on; good 242 00:13:42,288 --> 00:13:47,960 intelligence, collection and analysis are important. But 243 00:13:47,960 --> 00:13:53,232 they're just as important as as luck. And you increase the 244 00:13:53,232 --> 00:13:58,103 chances of luck by putting more information into the 245 00:13:58,103 --> 00:14:01,240 hopper that allows somebody to go, wait a minute. 246 00:14:02,374 --> 00:14:05,144 >>:What Dr. Gene Deisinger described in the pathway to 247 00:14:05,144 --> 00:14:09,081 violence is an extended period of time and exposure between a 248 00:14:09,081 --> 00:14:11,984 potential inside threat and those around them in their 249 00:14:11,984 --> 00:14:15,554 day-to-day life. In the case of Ana Montes and the Defense 250 00:14:15,554 --> 00:14:19,625 Intelligence Agency, the odd behaviors exhibited by Montes 251 00:14:19,625 --> 00:14:22,127 over the course of many years were representative of an 252 00:14:22,127 --> 00:14:25,564 underlying deception, as she served as a double agent for 253 00:14:25,564 --> 00:14:29,134 the Cuban government. [LB] As with the 2009 Fort Hood 254 00:14:29,134 --> 00:14:32,037 shooting, there were behaviors detected by those around 255 00:14:32,037 --> 00:14:35,474 Montes. And had the concerns of colleagues been reported to 256 00:14:35,474 --> 00:14:38,177 those with the powers to investigate that behavior, 257 00:14:38,477 --> 00:14:41,013 it's possible that this spy may have been discovered 258 00:14:41,013 --> 00:14:43,749 before she caused so much damage. To this point, it's 259 00:14:43,749 --> 00:14:47,186 clear that taking action and reporting suspicious behaviors 260 00:14:47,186 --> 00:14:50,155 is key. But what type of behaviors should we be 261 00:14:50,155 --> 00:14:51,123 concerned with? 262 00:14:51,690 --> 00:14:55,628 >>:Hindsight is 20/20. And I really think it's important to 263 00:14:55,628 --> 00:14:59,965 unpack that and why. The micro signals that said that 264 00:14:59,965 --> 00:15:01,567 such-and-such person was either going to harm 265 00:15:01,567 --> 00:15:03,936 themselves or harm other people or do it in the 266 00:15:03,936 --> 00:15:07,172 workplace, whatever it is - they were there. It was a 267 00:15:07,172 --> 00:15:09,174 matter of not bringing them all together. We all know 268 00:15:09,174 --> 00:15:12,177 that. We talk about connecting the dots. But we haven't yet 269 00:15:12,177 --> 00:15:17,016 had a real conversation about what that means. 270 00:15:17,416 --> 00:15:20,219 >>:Well, I mean, it's - the insider threat from my 271 00:15:20,219 --> 00:15:25,624 experience is kind of the classic spy or asset within 272 00:15:25,624 --> 00:15:29,161 your organization. The ways you would pick up on that 273 00:15:29,161 --> 00:15:34,300 person would be, you know, undue affluence, you know, 274 00:15:34,300 --> 00:15:38,337 maybe repeated security violations, kind of these 275 00:15:38,337 --> 00:15:41,640 classic indicators that anybody that grew up in the 276 00:15:41,640 --> 00:15:44,209 intelligence community would recognize. 277 00:15:44,476 --> 00:15:49,181 >>:Some employees may not quite fit in, or they may have 278 00:15:49,181 --> 00:15:53,986 personal problems that they bring over to the workplace. 279 00:15:54,219 --> 00:15:57,856 They might have financial problems or problems with 280 00:15:58,290 --> 00:16:02,461 relationships, with a spouse or girlfriend that spills over 281 00:16:02,695 --> 00:16:06,432 into the workplace and affects their work. This will be 282 00:16:06,432 --> 00:16:11,603 noticed by their colleagues and supervisors, and then they 283 00:16:11,603 --> 00:16:17,076 will respond to these situations in a negative way. 284 00:16:17,543 --> 00:16:23,816 This population is in the tiny minority. They start doing 285 00:16:23,816 --> 00:16:28,854 things that are out of place or out of character. They're 286 00:16:28,854 --> 00:16:35,127 likely to become very close-lipped about what they 287 00:16:35,127 --> 00:16:39,398 are doing and become increasingly isolated so that 288 00:16:39,398 --> 00:16:43,669 their risky activities will not be found out by others. 289 00:16:43,936 --> 00:16:46,405 >>:But again, you go back to the human factor of, you don't 290 00:16:46,405 --> 00:16:49,942 want to report or tell your coworker when it might just be 291 00:16:49,942 --> 00:16:52,578 something - they might have had a fight with their spouse 292 00:16:52,578 --> 00:16:54,847 or, you know, their kid might have got bad grades or 293 00:16:54,847 --> 00:16:57,750 something, you know, becuase we all have bad days. It's 294 00:16:57,750 --> 00:17:02,154 easy to understand that. Now, where - it's not as black and 295 00:17:02,154 --> 00:17:04,256 white. There's not easy metrics where you can say, OK. 296 00:17:04,256 --> 00:17:08,994 If you see no behavior A, you must turn them in because it's 297 00:17:08,994 --> 00:17:12,231 such a subjective area. Where is the tipping point where 298 00:17:12,231 --> 00:17:14,366 that becomes violence? It's really hard to identify. 299 00:17:15,467 --> 00:17:18,003 >>:The real challenge comes in trying to assess the intent 300 00:17:18,003 --> 00:17:20,906 behind that activity. So on a human level, obviously, you're 301 00:17:20,906 --> 00:17:22,608 trying to connect with your colleague. You want to be 302 00:17:22,608 --> 00:17:27,346 supportive. And you might push out of your mind, as part of 303 00:17:27,346 --> 00:17:30,616 that effort, why they might be feeling that way, what might 304 00:17:30,616 --> 00:17:32,885 be causing that tension. Is there something else at play 305 00:17:32,885 --> 00:17:36,188 beyond what they've shared. Maybe, are they trying to 306 00:17:36,188 --> 00:17:40,292 purposely elicit that emotion out of you so that you're 307 00:17:40,292 --> 00:17:43,228 empathetic and sympathetic and not focusing on something else 308 00:17:43,228 --> 00:17:45,864 that's going on in their life? Oftentimes with these things 309 00:17:45,864 --> 00:17:49,635 because there is a human dimension, because we all can 310 00:17:49,835 --> 00:17:53,439 be sort of distracted and manipulated to an extent or 311 00:17:53,439 --> 00:17:57,876 just affected by our own emotions when trying to reach 312 00:17:57,876 --> 00:18:03,582 out to a colleague - the best way to overcome missing a 313 00:18:03,582 --> 00:18:07,519 signal that something might be off, or there might be a 314 00:18:07,519 --> 00:18:10,556 threat is to see what other indicators might be there or 315 00:18:10,556 --> 00:18:13,225 just information. Let's not even call them indicators yet 316 00:18:13,225 --> 00:18:17,996 because that also presupposes some bias in terms of it being 317 00:18:17,996 --> 00:18:20,632 nefarious or not. But you know, what's really going on 318 00:18:20,632 --> 00:18:21,600 with this person? 319 00:18:21,600 --> 00:18:23,469 >>:But again, it goes back to what I talked about earlier. 320 00:18:23,702 --> 00:18:27,339 You must take action and start the investigative process to 321 00:18:27,339 --> 00:18:31,477 see where that individual is in that. And that process can 322 00:18:31,477 --> 00:18:35,647 take you if you're a private organization outside of your 323 00:18:35,647 --> 00:18:38,317 department, outside of your agency working and 324 00:18:38,317 --> 00:18:41,920 collaborating, and that's why I say collaboration is the key 325 00:18:41,920 --> 00:18:43,088 in the 21st century. 326 00:18:43,355 --> 00:18:45,424 >>:Again, going back and looking at the health of the 327 00:18:45,424 --> 00:18:48,427 overall organization, you know. It takes, you know, one 328 00:18:48,427 --> 00:18:52,698 bad apple to ruin the bunch. In my experience, you know, in 329 00:18:52,698 --> 00:18:55,601 looking at that behavior that's a little different, 330 00:18:55,801 --> 00:18:59,004 little, you know, unusual, you know, especially breaking from 331 00:18:59,004 --> 00:19:01,974 a norm - not that breaking from a norm means something 332 00:19:02,307 --> 00:19:04,243 bad is going to happen. But you still need to kind of 333 00:19:04,243 --> 00:19:06,545 evaluate that, you know, if it's something out of the 334 00:19:06,545 --> 00:19:11,216 ordinary. My old organization that was very well almost 335 00:19:11,216 --> 00:19:14,753 brought down a - it was an incident that happened in a 336 00:19:14,753 --> 00:19:18,624 specific region of the country because of the actions of a 337 00:19:18,624 --> 00:19:24,897 few, almost brought the entire agency to its knees. One agent 338 00:19:24,897 --> 00:19:29,935 finally said something during, you know, over the course over 339 00:19:29,935 --> 00:19:33,505 a period of time, you know, said something like this is 340 00:19:33,505 --> 00:19:37,409 not right. You know, I've been taught better. And finally, 341 00:19:37,409 --> 00:19:40,379 you know, they've kind of reported up to what they were 342 00:19:40,379 --> 00:19:43,515 witnessing there in the specific, you know, region. It 343 00:19:43,515 --> 00:19:46,218 kind of dealt with an investigation and some bad 344 00:19:46,218 --> 00:19:50,522 practices. However, you know, again, that was a few people, 345 00:19:51,123 --> 00:19:52,591 you know. And if that agent wouldn't have said anything 346 00:19:52,591 --> 00:19:56,495 and that bad behavior or bad practice continued, maybe it 347 00:19:56,495 --> 00:19:59,398 would have, you know, brought down the agency. 348 00:19:59,665 --> 00:20:03,602 >>:Your personal biases can always sway you because you 349 00:20:03,602 --> 00:20:09,775 can't imagine it happening to you in your workplace. And 350 00:20:09,775 --> 00:20:13,178 that, again, always has to be considered - is your personal 351 00:20:13,178 --> 00:20:16,982 denial that something is actually occurring. And I've 352 00:20:16,982 --> 00:20:21,253 always said that the easiest person to fool is usually 353 00:20:21,253 --> 00:20:21,887 yourself. 354 00:20:23,088 --> 00:20:25,824 >>:It seems that there are often several behaviors or 355 00:20:25,824 --> 00:20:29,494 indicators in the life cycle of an insider threat. Some are 356 00:20:29,494 --> 00:20:32,264 less malevolent such as changes in behavior or 357 00:20:32,264 --> 00:20:36,435 appearance. Some are so-called midrange behaviors such as 358 00:20:36,635 --> 00:20:39,471 speaking out about a grievance against a community or 359 00:20:39,471 --> 00:20:43,108 employer. And some still may include high-risk behaviors 360 00:20:43,108 --> 00:20:47,112 such as potential violent acts. The key is that the more 361 00:20:47,112 --> 00:20:50,148 information reported within an organization or community 362 00:20:50,482 --> 00:20:52,718 leads to more opportunities for intervention. 363 00:20:53,251 --> 00:20:55,988 >>:What experts have shown us in the last two sections on 364 00:20:55,988 --> 00:20:58,624 workplace violence and counterterrorism is that it 365 00:20:58,624 --> 00:21:01,760 requires vigilance from all levels of an organization or 366 00:21:01,760 --> 00:21:04,529 community to identify suspicious behavior and 367 00:21:04,529 --> 00:21:07,566 potential threats as they emerge. Having reporting 368 00:21:07,566 --> 00:21:10,502 mechanisms in place to communicate concerns is also 369 00:21:10,502 --> 00:21:13,405 critical, whether that means an organizational plan to 370 00:21:13,405 --> 00:21:16,875 report workplace concerns anonymously, outreach to local 371 00:21:16,875 --> 00:21:19,244 law enforcement or participation in the 372 00:21:19,244 --> 00:21:22,781 see-something-say-something campaign. As we are about to 373 00:21:22,781 --> 00:21:25,884 learn, however, insider threats in the cyber realm 374 00:21:25,884 --> 00:21:29,121 require another level of preparedness. While much of 375 00:21:29,121 --> 00:21:31,690 this video is centered around those seeking to harm an 376 00:21:31,690 --> 00:21:35,293 organization from within, Jackie Barbieri and Al Phoenix 377 00:21:35,293 --> 00:21:37,896 showed how reporting even casual misconduct in the 378 00:21:37,896 --> 00:21:40,699 workplace can protect the organization by enabling 379 00:21:40,699 --> 00:21:44,069 internal mechanisms to assess security gaps. General 380 00:21:44,069 --> 00:21:47,706 misconduct or not following protocols represent an insider 381 00:21:47,706 --> 00:21:50,676 whose actions are not intended to harm the organization but 382 00:21:50,676 --> 00:21:53,779 whose behavior puts the community at risk anyway. The 383 00:21:53,779 --> 00:21:56,415 field of cybersecurity is divided by this unique 384 00:21:56,415 --> 00:21:59,851 challenge. Malevolent insiders often have easy access to 385 00:21:59,851 --> 00:22:03,455 sensitive data on a daily basis. Worse yet, even honest 386 00:22:03,455 --> 00:22:06,124 employees may pose a threat if they lack the training 387 00:22:06,124 --> 00:22:10,729 necessary to keep your network secure. So which is worse, the 388 00:22:10,729 --> 00:22:14,032 conscious threat or the unintentional vulnerability? 389 00:22:14,299 --> 00:22:19,304 >>:Both are important. And usually, you may not have 390 00:22:19,304 --> 00:22:23,175 control over either one, or you may have control over only 391 00:22:23,175 --> 00:22:26,645 one. Threats are something, again, bad that could happen, 392 00:22:26,645 --> 00:22:29,481 and usually, an organization is not going to have control 393 00:22:29,781 --> 00:22:32,417 over a threat. They can have awareness of a potential 394 00:22:32,417 --> 00:22:34,953 threat that can occur, but they don't have control over 395 00:22:34,953 --> 00:22:37,989 that particular activity taking place. A vulnerability 396 00:22:37,989 --> 00:22:40,592 is something that, again, is a weakness in the system, so an 397 00:22:40,592 --> 00:22:43,729 organization can absolutely take a look at what 398 00:22:43,729 --> 00:22:46,898 vulnerabilities are present in their system and start to 399 00:22:46,898 --> 00:22:49,067 proactively manage them. 400 00:22:49,067 --> 00:22:51,036 >>:The name of the game is not so, like, just buying 401 00:22:51,036 --> 00:22:53,872 everything that you can to make yourself secure. It's 402 00:22:53,872 --> 00:22:56,675 really about making it just hard enough so that you don't 403 00:22:56,675 --> 00:22:59,144 pop up on the radar. Especially for small 404 00:22:59,144 --> 00:23:01,279 businesses, smaller organizations, the three 405 00:23:01,480 --> 00:23:03,582 things on the user side is what we talked about - 406 00:23:03,582 --> 00:23:06,651 two-factor authentication, strong passwords 407 00:23:06,651 --> 00:23:07,986 and use a VPN. 408 00:23:07,986 --> 00:23:10,255 >>:Two-factor authentication is what you, something you 409 00:23:10,255 --> 00:23:13,325 know and something you have. And something you have could 410 00:23:13,325 --> 00:23:17,963 be a token or a rotating password, but something you 411 00:23:17,963 --> 00:23:20,999 have should be something that is difficult for a potential 412 00:23:20,999 --> 00:23:22,267 hacker to compromise. 413 00:23:22,734 --> 00:23:25,103 >>:But then, when you're looking at the network, then 414 00:23:25,103 --> 00:23:28,173 you start talking about proper segmentation, making sure 415 00:23:28,173 --> 00:23:30,675 users don't have unauthorized or access they don't 416 00:23:30,942 --> 00:23:33,044 necessarily need. What the bad guys are going to do is 417 00:23:33,044 --> 00:23:37,783 they're going to find that person who has that access, 418 00:23:37,783 --> 00:23:41,419 right? Everyone knows when they have a problem on the 419 00:23:41,419 --> 00:23:44,456 computer, they call the IT guy, and that IT guy, without 420 00:23:44,456 --> 00:23:46,658 being in the same room, can take over their mouse and move 421 00:23:46,658 --> 00:23:48,760 it around on the screen, right? That's the guy that the 422 00:23:48,760 --> 00:23:51,163 bad guys are looking for because they want to control 423 00:23:51,163 --> 00:23:53,932 his computer without him knowing it because he has 424 00:23:53,932 --> 00:23:56,535 access to everybody's computer and every other computer, 425 00:23:56,535 --> 00:23:59,638 usually every other corner of their network. That's what the 426 00:23:59,638 --> 00:24:03,141 bad guys use to get inside and steal what they need to steal. 427 00:24:03,141 --> 00:24:06,711 >>:And really, a lack of understanding is what leads to 428 00:24:06,711 --> 00:24:09,581 so many problems. You know, one of the biggest methods for 429 00:24:09,581 --> 00:24:11,750 gaining footholds is still fishing - spearfishing 430 00:24:11,750 --> 00:24:14,119 campaigns. You get an email that looks like something that 431 00:24:14,119 --> 00:24:17,022 you should click on, open. It looks legitimate. You know, 432 00:24:17,255 --> 00:24:20,058 click here to reset your password. Yeah, that seems 433 00:24:20,058 --> 00:24:23,094 like it would - came from Facebook or from IT support of 434 00:24:23,094 --> 00:24:25,463 my company. And you click on it, and all of a sudden, 435 00:24:25,463 --> 00:24:28,233 without you even knowing, it's laid a payload in your 436 00:24:28,233 --> 00:24:32,237 computer. And whether or not you reset it, there are some 437 00:24:32,237 --> 00:24:35,674 really crazy things can - that can be done, and you wouldn't 438 00:24:35,674 --> 00:24:38,910 know for years whether or not something been done to your 439 00:24:38,910 --> 00:24:41,112 computer. And they're just sitting there, capturing your 440 00:24:41,112 --> 00:24:44,816 keystrokes. So sure, your password might be invisible to 441 00:24:44,816 --> 00:24:47,319 the naked eye, but they can see which keys you've hit, and 442 00:24:47,319 --> 00:24:48,687 they're able to capture all of that. 443 00:24:49,054 --> 00:24:51,022 >>:It sounds silly, but there's obviously the 444 00:24:51,022 --> 00:24:53,658 advanced, persistent threat, which is where they've - they 445 00:24:53,658 --> 00:24:57,762 are looking to gain access into your network. And once 446 00:24:57,762 --> 00:25:00,665 they're in, they're continuing to dig their way through the 447 00:25:00,665 --> 00:25:04,836 network to identify data and pull that data out so they 448 00:25:04,836 --> 00:25:07,706 can, you know, do with it whatever they would like to. 449 00:25:08,073 --> 00:25:11,643 Insider threat is looking at the internal controls and the 450 00:25:11,643 --> 00:25:14,212 behaviors of the individuals that are working for - you 451 00:25:14,212 --> 00:25:17,549 know, in your organization to ensure that the folks that 452 00:25:17,549 --> 00:25:22,320 have access to very sensitive or proprietary information - 453 00:25:22,320 --> 00:25:24,389 paying attention to the behaviors of those individuals 454 00:25:24,389 --> 00:25:26,958 and ensuring that you have the right security controls in 455 00:25:26,958 --> 00:25:31,363 place so that they are not exfiltrating or taking data 456 00:25:31,596 --> 00:25:35,033 and utilizing it against company purposes. 457 00:25:35,533 --> 00:25:37,335 >>:When we're talking about this with clients - and we see 458 00:25:37,335 --> 00:25:39,070 this with clients - is, they'll have an issue with an 459 00:25:39,070 --> 00:25:42,741 employee pop up. Maybe it's a rogue employee. It goes back 460 00:25:42,741 --> 00:25:46,544 to a lot of activity logs and monitoring their behavior 461 00:25:46,544 --> 00:25:51,182 digitally because they - if they're accessing places they 462 00:25:51,182 --> 00:25:54,552 shouldn't access or don't - or rarely access, or they're 463 00:25:54,552 --> 00:25:58,023 working at odd hours, or they're downloading a bunch of 464 00:25:58,023 --> 00:26:00,959 information they necessarily shouldn't and then emailing it 465 00:26:00,959 --> 00:26:03,528 to their, you know, personal Gmail account, you say, you 466 00:26:03,528 --> 00:26:05,597 know what? Bob hasn't been coming to work or he's been 467 00:26:05,597 --> 00:26:07,432 coming in late every day. And, like, something's kind of 468 00:26:07,432 --> 00:26:09,734 fishy with him. You could go back, and look at his activity 469 00:26:09,734 --> 00:26:12,570 logs and see, like, what's going on. Then it turns into 470 00:26:12,570 --> 00:26:16,007 kind of an HR and a leadership function to find out and talk 471 00:26:16,007 --> 00:26:17,776 to Bob - you know, what's going on? You know, you got 472 00:26:17,776 --> 00:26:21,579 problems or just somebody who doesn't really know what 473 00:26:21,579 --> 00:26:22,714 they're doing. 474 00:26:22,714 --> 00:26:24,950 >>:Most people would think of a security attack, but a 475 00:26:24,950 --> 00:26:29,754 threat can actually be an innocent employee that 476 00:26:29,754 --> 00:26:32,924 unintentionally does something, makes an error 477 00:26:32,924 --> 00:26:36,361 which causes an incident. And that sounds like something 478 00:26:36,361 --> 00:26:38,797 everybody would know. But, I mean, humans should be looked 479 00:26:38,797 --> 00:26:42,434 at as almost human-detection sensors. If someone is aware 480 00:26:42,434 --> 00:26:45,603 within your organization, then - and they report it, then 481 00:26:45,603 --> 00:26:48,206 that can potentially shut down a potential attack before 482 00:26:48,206 --> 00:26:49,441 something bad happens. 483 00:26:49,641 --> 00:26:52,110 >>:I mean, they're not hacking websites anymore. They're 484 00:26:52,110 --> 00:26:55,246 paying somebody off to insert a thumb drive - somebody who 485 00:26:55,246 --> 00:26:59,384 actually works there or has normal access - or they are 486 00:26:59,684 --> 00:27:01,686 trying to clone badges, and get inside through the badge 487 00:27:01,686 --> 00:27:05,223 reader and sit down at a workstation or a conference 488 00:27:05,223 --> 00:27:07,592 room that's unoccupied. They're not hacking anything. 489 00:27:08,393 --> 00:27:10,962 They're manipulating people, and they're able to get 490 00:27:10,962 --> 00:27:13,231 inside. So once they get on the network, they're already 491 00:27:13,231 --> 00:27:15,233 inside, and they're already a trusted user, so firewall's 492 00:27:15,233 --> 00:27:16,634 not going to do anything. 493 00:27:16,634 --> 00:27:17,669 We're already past the firewall. 494 00:27:17,669 --> 00:27:19,537 >>:It - you know, there are so many foundational elements 495 00:27:19,537 --> 00:27:22,707 that become a part of the culture of how you build your 496 00:27:22,707 --> 00:27:25,377 organization. Security, really, should be a part of 497 00:27:25,377 --> 00:27:28,213 that and understanding that when I open up an email that 498 00:27:28,213 --> 00:27:32,484 can expose our organization to risk, when I engage in 499 00:27:32,484 --> 00:27:36,488 conversations or have my laptop out in areas and use a 500 00:27:36,488 --> 00:27:40,358 public Wi-Fi, that exposes my organization to risk, it - I 501 00:27:40,358 --> 00:27:43,528 think really building in awareness to the culture of a 502 00:27:43,528 --> 00:27:47,599 business of how you, as an individual, can either be a 503 00:27:47,599 --> 00:27:49,234 point of risk or a point of strength. 504 00:27:49,601 --> 00:27:53,471 >>:I think having an educated workforce is critical because, 505 00:27:53,471 --> 00:27:56,474 again, I think there are so many things that can happen 506 00:27:57,375 --> 00:28:02,180 with humans that having a basic, fundamental level of 507 00:28:02,180 --> 00:28:04,916 understanding about things they should look out for, 508 00:28:05,150 --> 00:28:07,786 things to be aware of, can be - they can be your best 509 00:28:07,786 --> 00:28:12,257 defense, I think, in trying to protect the information and 510 00:28:12,257 --> 00:28:15,460 the company assets. The better informed and trained your 511 00:28:15,460 --> 00:28:17,929 organization and the people within your organization are, 512 00:28:18,196 --> 00:28:20,832 the better off you are as an organization because cyber 513 00:28:20,832 --> 00:28:24,002 shouldn't just be about the people that are responsible 514 00:28:24,002 --> 00:28:27,572 for information security. Cyber is an ecosystem, so it 515 00:28:27,572 --> 00:28:30,708 should be looked at as all of the assets that you have in 516 00:28:30,708 --> 00:28:33,978 your organization, as well as the people. So the more aware 517 00:28:33,978 --> 00:28:37,148 your people are, the better you're going to have an 518 00:28:37,148 --> 00:28:39,851 overall comprehensive and holistic security program. 519 00:28:40,251 --> 00:28:42,921 >>:The insider threat is a complex and adaptive 520 00:28:42,921 --> 00:28:45,323 challenge. Whether you're attempting to keep your 521 00:28:45,323 --> 00:28:48,793 community safe from an act of terror, attempting to protect 522 00:28:48,793 --> 00:28:51,362 your colleagues from an act of workplace violence, or 523 00:28:51,362 --> 00:28:54,299 securing your intellectual property from cybercrime, what 524 00:28:54,299 --> 00:28:56,935 we've learned today is the value of communication across 525 00:28:56,935 --> 00:29:00,038 all levels of the community. This may mean elevating 526 00:29:00,038 --> 00:29:02,874 concerns to superiors if you see a colleague exhibiting 527 00:29:02,874 --> 00:29:05,477 behaviors that may indicate they're on the pathway to 528 00:29:05,477 --> 00:29:08,146 violence, being comfortable reaching out to law 529 00:29:08,146 --> 00:29:09,914 enforcement when you see something that makes you 530 00:29:09,914 --> 00:29:12,984 uncomfortable in public and ensuring that you possess the 531 00:29:12,984 --> 00:29:15,787 knowledge and training to protect yourself and your 532 00:29:15,787 --> 00:29:19,090 organization from potential threats both physical and 533 00:29:19,090 --> 00:29:22,460 digital. The proximity of an insider threat to your 534 00:29:22,460 --> 00:29:25,330 organization is exactly what makes this challenge so 535 00:29:25,330 --> 00:29:29,134 dynamic. However, that frequent exposure also 536 00:29:29,134 --> 00:29:32,637 provides opportunities for intervention. Now that you're 537 00:29:32,637 --> 00:29:35,306 armed with information about the pathway to violence, 538 00:29:35,540 --> 00:29:39,010 indicators of radicalization and reporting mechanisms in 539 00:29:39,010 --> 00:29:42,313 place to assist you, you and your organization are now 540 00:29:42,313 --> 00:29:45,683 capable of mitigating the insider threat and potentially 541 00:29:45,683 --> 00:29:49,787 rescuing a friend or a colleague in deep crisis. For 542 00:29:49,787 --> 00:29:52,624 more information on the insider threat and the active 543 00:29:52,624 --> 00:29:54,225 shooter threat, please visit 544 00:29:54,225 --> 00:29:59,330 DHS.gov/active-shooter-preparedness. 545 00:29:59,330 --> 00:30:02,233 There, you'll find more resources, such as the DHS 546 00:30:02,233 --> 00:30:05,136 Pathway to Violence fact sheet, and other information 547 00:30:05,136 --> 00:30:08,540 and resources for preparedness that ensure if you do see 548 00:30:08,540 --> 00:30:11,609 something, you'll be able to say something. 549 00:30:11,609 --> 00:30:34,299 (MUSIC)