The New Face of Terrorism

By John E. Nevola

When United States’ companies first decided to develop contingency plans for extended unplanned outages in the mid 1970s, the compelling reasons were natural disasters and the resulting power outages that usually accompanied them. The basis of their concern and the reason for taking action was to protect the heart of all businesses; the data center. There were not enough computers integrated into businesses in 1965 when the first great Northeast Power Outage occurred to stimulate much activity in contingency planning. However, a second similar event in 1974 served as a wake-up call to many companies as they witnessed their business operations come to a screeching halt as evidenced by the fatal silence of their power-starved computer rooms.
Business recovery planning and awareness have matured substantially in most companies since that time. An entire new industry has been created to provide for the new and more complex recovery requirements of American businesses. It is not difficult today to find alternate recovery sites, consultants, software, education and publications dedicated entirely to products and services for contingency-minded companies. The business recovery industry has evolved to include the wherewithal to provide for total business recovery; including end-user recovery and a wide variety of resumption services. For all these advances in requirements and capabilities and for all the maturity and sophistication that has characterized business contingency planning in recent times, the specter of terrorism as a meaningful and realistic threat has begun to pose some new and very unique problems.
International terrorism has been around for some time. There have been over 6,500 documented incidents since 1980 resulting in more than 5,000 dead and 12,000 injured. While terrorism may take many forms, the one that concerns businesses the most is the terrorist bomb. Customers in the United Kingdom cite “bombings” as the number one threat to their businesses and the primary reason they engage in contingency planning. The statistics bear that out. Of the 467 most recently documented international disasters (excluding the United States), 6 percent were caused by bombing. Until the incident at the World Trade Center in February 1993, this category did not even appear in the statistics for the United States in a significant way. After the World Trade Center incident, “bombing /sabotage” jumped to 8% of all causes of declared disasters, the fourth most frequent cause behind power (29%), storm (11%) and flood damage (10%).
A large proportion of the international terrorist incidents (approximately 2,500 or 38%) have been directed at the United States. These incidents include hostage-taking and terrorist bombing, among others. Most of these acts, however, have occurred against U.S. properties overseas. The State Department, nevertheless, was so concerned about these incidents and threats that the Act to Combat International Terrorism (Public Law 98-533) was passed in 1984. This law, known as the Rewards Program for Terrorism Information, provides up to 2 million dollars for information that prevents or resolves acts of terrorism.
The bombing at the World Trade Center signaled a significant change in the tactics of international terrorists. It should have provided a serious warning about the potential dangers of the calculated detonation of an explosive device in a large office building. It is not clear, however, that the pure and simple impacts of such a demonstration of violence were fully appreciated and acted upon. The most likely reason for this, perhaps, is that the most significant business impact of the Trade Center bombing was denial of access. Once that problem was resolved, many companies had little difficulty in resuming normal business. The April 19, 1995 bombing of the Alfred P. Murrah Federal Building in Oklahoma City, on the other hand, was a very different incident. It was similar only in the fact that the explosion was caused by a terrorist bomb. Almost every other aspect of Oklahoma City differed from the World Trade Center incident.
First, the World Trade Center bombing was a true disaster but the Oklahoma City bombing was an American tragedy. The loss of life was appalling and the impact on the community was devastating. An enormous feeling of loss and sorrow reached out from TV screens all across the nation and touched every viewer, every night, in their living rooms. Shocked Americans everywhere counted the bodies and mourned the children, too stunned to believe it and far too angry to even begin to understand the long-term ramifications of this utterly senseless act. There has been nothing in our history to compare this to; no example of what to do, what to say or how to behave. There was no guidance to help people understand that which had no explanation. But yet somehow, the people, the community and the businesses are expected to eventually put this catastrophe behind them and move on. And one way or another they will.
The World Trade Center bombing was the work of international terrorists; Oklahoma City was a home-grown event. Some people viewed the Oklahoma City bombing as a stab in the back from an unexpected quarter. There are those whose emotions felt betrayed that Americans committed this ruthless act; who would have somehow understood better if the plot was hatched by radicals from foreign shores. The pragmatists, however, see this as an escalation in the threat probability; a greater risk of future terrorist bombings from yet another source. The World Trade Center bombing in New York City was intended to make a political statement in the starkest terms. Choosing to do this in the media capital of the world was neither an accident nor a surprise. Terrorists wage psychological warfare and frighten and intimidate by the threat of action as well as the action itself. This usually results in attacks on highly visible, high profile targets. It is this technique that the terrorist employs to gain the most widespread publicity. Oklahoma City changed all of that. These fanatics chose an obscure target, perhaps deciding that its obscurity made it that much more vulnerable. And they decided to make it a particularly savage attack; apparently to assure the notoriety that might otherwise be absent in Oklahoma City.
The message is clear; there is no place, however removed from the mainstream, that is invulnerable to a terrorist bomb. Those that have considered themselves and their businesses secure from this threat because their location is remote or removed from the beaten track should heed the warning of Oklahoma City; no place, however removed, is safe. This event has significantly raised the stakes!
Finally, there is a substantial difference to the business impact between the World Trade Center and Oklahoma City. There was a disruption of one day, a Friday, on February 26, 1993 when the WTC was bombed. Most of the 900 businesses were ill-prepared as they found it necessary to return to their offices (under the watchful eye of a Port Authority Police escort) to recover critical records and files. Thankfully, in this case, most companies were able to resume normal business because they were able to locate and retrieve data and equipment. We were even able to witness, through the miracle of live television coverage, many businesses disaster recovery contingency plans in action. Unfortunately, some of these plans consisted of nothing more than an old coffee cart piled up with personal computers, floppy disks and peripherals as they were wheeled continuously out of the lobby of the World Trade Center throughout the weekend. There would be no such luxury in Oklahoma City. Destruction on this scale leaves no margin for error or forgives any omission in a disaster recovery plan. Everything in the building was destroyed and anything needed for business resumption, especially data, had better have been backed up someplace else.
This is just one small example of the differences between an Oklahoma City-type disaster and those that we have been coping with the last few years. Contingency planners should be re-evaluating their plans with Oklahoma City in mind, especially since the probabilities of a repeat event in the future just jumped off the scale.
What areas of contingency planning need to be re-examined in light of this increased threat? To start with, it is essential to review the equipment replacement provisions of the plan. Older equipment, particularly that which may be difficult if not impossible to replace must be identified. The used equipment market, leasing companies or brokers may be able to locate the required types and quantities. The contingency planner must then evaluate the cost case and either acquire the replacement gear or recommend an upgrade to more modern, and therefore more readily available equipment.
Those companies that store backup tapes in that huge fireproof vault in the basement should rethink that approach in light of the nature of the Murrah Federal Building disaster. Everything in the lower levels was covered by over 25 tons of debris and, if not completely destroyed, could not have been accessed for an extended period of time assuming there was a vault that was not crushed. Even the practice of keeping the latest backups on site while sending prior versions to an off-site vault should be reconsidered. (This practice is a holdover from the days when head crashes were a more common occurrence and data center managers wanted the backup tapes within easy reach for a quick recall). Recovery plans should also consider the use of an alternate site for office workers. Buildings damaged as severely as the Murrah Federal Building will never be repaired and reoccupied. Both temporary and permanent replacement quarters need to considered in any plan. Alternate site vendors do provide office and end-user office space but in a case like this, it is probably a better bet to make arrangements for another facility reasonably close to the damaged site.
Had this disaster struck a building with a large computing center, the business impacts might have been cataclysmic. Presuming that there was an alternate site recovery plan for the data center, it was clear that many of the personnel would have been unwilling or unable to travel there for recovery purposes. Whether an alternate site recovery plan is in place with an outside supplier or with another data center within the same enterprise, a successful recovery would have been unlikely if it depended on people from the afflicted site. Therefore, prudent recovery planning and subsequent exercises should be designed to achieve business recovery and continuity without the onsite presence of the client’s recovery specialists.
Contingency planning managers are not the only corporate personnel who are compelled to re-think their plans. Security managers are also challenged by the higher threat of the probability of bombings in the United States punctuated by the Oklahoma City occurrence. They, more than most, realize that there were over 1900 bombings in the U.S. in 1992 (according to statistics from the Bureau of Alcohol, Tobacco and Firearms) compared to under 600 bombings in 1982. They also know, based on those same statistics, that bombings have increased every year since 1981 and there is no reason to expect that this trend will not continue. Compounding this bleak outlook is the considered opinion of most security experts that it is nearly impossible to prevent a bombing conducted by a determined, highly motivated and well backed radical group or individual.
It is questionable whether current structures can be made “bomb-proof” with retro-fit building modifications. It is also highly doubtful that the architecture and design of many future buildings will be strengthened to better withstand a bomb. It is simply too expensive and would result in unsightly and unfriendly structures. Weight bearing vertical columns, however, will most likely be made round in the future (instead of square) because square columns are more susceptible to the pressure of the explosion’s shock wave. So what can be done to mitigate this risk today? There are a few actions that can be taken.
As a result of the 1983 destruction of the U.S. Marine Barracks in Beirut by a truck bomb, the United States government began developing a high-tech sensor called EGIS. Today, EGIS is on guard at 18 airports and screens cars boarding the new Chunnel rail service (between England and France). It can detect minute fragments of residues used to make explosives. This may be an answer for highly sensitive installations.
There is also a software system on the market today called Bomb CAD. This program will assess the vulnerability of a structure to explosive blasts by simulating the detonation of devices at various design points.
Finally, most security experts conclude that there is no substitute for vigilant and resourceful security personnel. It could be argued that an attempt could have been anticipated on April 19 (on April 19, 1992, FBI agents raided the homestead of Randall Weaver in Ruby Ridge, Idaho and shot and killed his wife and son; on April 19, 1993, the Branch Davidian compound in Waco, Texas was assaulted by ATF agents) since this anniversary date is meaningful to some anti-government groups. However the federal government occupies over 8,000 office buildings in the U.S., so the precise one could have hardly been predicted.
Security can be improved in most buildings by simply keeping vehicles away from near proximity to the structure. Any bomb large enough to damage a building would necessarily have to be carried in a car or truck. If these vehicles are kept away from buildings, damage would be minimized. The truck that carried the explosives in the Oklahoma City incident was allowed to get within 15 feet of the building by using a pull-in lane. This was close enough to rupture enough vertical support columns to start the “progressive collapse” of the upper floors. Keeping vehicles away from buildings (as well as preventing them from parking under buildings) is the most significant action that security managers can take to significantly reduce the risk of a building collapse should an explosive device be detonated.
It also makes sense, according to the experts, to examine all letters and parcels coming into a building for explosives. The "Unabomber" appears to have been awakened by recent events and has become active once again. Yet another threat to be wary of and take precautions to prevent.
These policies, if strictly enforced, may discourage terrorists from even attempting to bomb buildings that exhibit a careful, firm and comprehensive security posture.
As with all disasters, there are many lessons to be learned from Oklahoma City. Once the horror of the attack fades into the memories and people all over America begin to move on with their lives, perhaps some good could be gleaned from this event. Maybe, in the aftermath, the mixture of emotion and determination to prevent future disasters of this kind will result in real and tangible solutions and actions. Hopefully, the lessons learned from this tragedy will have a more profound and lasting impact than the “lessons not learned” from the disasters that preceded it.

John E. Nevola is site manager for Business Recovery Services Center for Integrated Systems Solutions Corporation He is also a member of DRJ's Editorial Advisory Board.

Disaster Recovery Worldİ 1999, and Disaster Recovery Journalİ 1999, are copyrighted by Systems Support, Inc. All rights reserved. Reproduction in whole or part is prohibited without the express written permission form Systems Support, Inc.