Fed Program Initiates Life-Saving Training for Shootings, Terror Attacks

The length of time victims wounded in school shootings and terror attacks must wait for help from an EMT could be minutes or hours—during which time they could bleed to death. This has happened in a number of cases, including a shooting at an Orlando nightclub in June, when a woman bled to death while waiting for help to arrive.

These incidents have prompted the Department of Homeland Security’s Stop the Bleed campaign, a nationwide initiative to empower individuals to act quickly and save lives in emergency situations. Bystanders are asked to take simple steps to keep an injured person alive until medical care is available. Security guards, custodians, teachers and administrators are being trained at schools and other places to administer first aid until help arrives.


Stony Brook University Hospital’s trauma center is spearheading training for school districts and colleges across the country. According to the Associated Press:

At a recent training session, paramedics and doctors brought in fake body parts—blood spurting from the wounds—to show staffers of a Long Island school district how to tie tourniquets and pack open wounds with whatever they have.

“Seconds matter. It really can be minutes when you can lose your life,” said Dr. James Vosswinkel, the chief of trauma and emergency surgery at Stony Brook University Hospital, who led the training.

Doctors emphasized that in the critical seconds after an attack it’s important for teachers and other school staff to stay calm and begin assessing injuries. Teachers learned to apply tourniquets in case a student is shot in the arms or legs—using T-shirts or belts, if necessary—and to stick anything they can to pack wounds in the torso.

Stony Brook doctors have reached out to local schools to offer the training, but are looking to expand the program as part of a federal Department of Homeland Security initiative to other schools, colleges and police departments across the country.

“Nobody should die from preventable hemorrhage,” Vosswinkel said.

Top Obama Administration Officials, Law Enforcement Reach Out at RSA Conference

loretta lynch at RSA

Attorney General Loretta Lynch addresses RSA Conference 2016

SAN FRANCISCO—Many of the Obama administration’s top brass are here in force, addressing some 40,000 practitioners from every part of the technology and information security industry at the annual RSA Conference. Set against the backdrop of the ongoing fight over between Apple and the FBI encryption and backdoors, the tension ebbed and flowed during sessions with Attorney General Loretta Lynch, Secretary of Defense Ashton Carter, and Admiral Mike Rogers, U.S. Navy Commander, U.S. Cyber Command, and director of the NSA. While many speakers will not address the issue directly, the subtext is clear throughout the show, particularly as the public battle brings considerable interest to the privacy and security issues the RSA has centered on for 25 years.

Indeed, in his keynote address, RSA President Amit Yoran called law enforcement’s current stance on encryption “so misguided as to boggle the mind.” Brad Smith, president and chief legal officer of Microsoft, chimed in as well, asserting that we cannot keep people safe in the real world unless we can keep them safe in the virtual world. He lauded Apple and pledged that the tech giant would stand with Apple in its resistance.

Ash Carter at RSA

Secretary of Defense Ashton Carter in Conversation with Ted Schlein of Kleiner Perkins at RSA

While the gravity of the issue and the massive potential impact for many in the sector are boggling many minds here, the administration officials’ sessions also offered more broadly positive comments for businesses outside the tech sector. The conciliatory tone Lynch and Carter often struck centered on the critical need for partnerships between technology and government. They tried to emphasize the ways the administration is reaching out to private entities, both within Silicon Valley and across corporate America at large.

According to Sec. Carter, for example, the United States Cyber Command has three core missions: defending the Department of Defense’s network; helping American companies, the economy and critical infrastructure; and engaging in offensive cyber missions. The second is a key pillar, he said, as the DoD must keep in perspective that the strength of American entities is the strength of the nation. From threat intelligence to the Defense Innovation Unit Experimental he announced yesterday, to be helmed by Google’s Eric Schmidt, Carter believes there is considerable need for industry to engage with government on cyberrisk, and both parties have valuable assets to contribute. “Data security is a necessity, and we must help our companies harden themselves,” Carter said. Indeed, he wants both help for and from the industry. In closing, he said, “We are you. You pay us. We represent you and our job is to protect you, and we’d love to have your help.”

He also noted that the DoD is trying to learn a bit about managing its cyberrisk from the commercial sector’s best practices. “We do grade ourselves and we’re not getting good grades across the enterprise,” Carter told reporters Wednesday, according to Defense News. “I have these meetings where I call everyone in and we have these metrics which tell us how we’re doing [and] if you don’t score well, that is evident to the Secretary of Defense at those meetings.

“We don’t assume for a minute that we’re doing a perfect job at this,” he added. “That’s the whole reason for me to be here and the whole reason for me to be engaging with this community here at this conference.”

Carter also announced that the Department of Defense will be hosting “Hack the Pentagon,” a bug bounty program offering white hat hackers cash for finding and reporting vulnerabilities in the Pentagon’s websites. Many companies have been offering these programs to try to discover their exposure in a controlled setting, without the risk of reputation damage, personal information exposure and business interruption that accompany an unknown hacker finding them instead. Carter called these a “business best practice” to gauge preparedness.

Federal law enforcement also has a notable presence at RSA and is making a pronounced effort to reach out to businesses regarding cyberrisk, threat intelligence, and managing a cyberattack. Indeed, in one session Tuesday, panelists from the Department of Homeland Security, FBI and the White House urged a call to action for businesses to get serious about proactively building bridges with law enforcement and to make use of the many resources the administration is trying to activate to help private industry fortify against cyber threats. The government is working to make it easier for companies to turn to it for help, they said, and attitudes are shifting to more consistently recognize and respect victimized businesses and minimize business interruption.

Some in the audience expressed skepticism, such as one man who seized upon the Q&A portion of a session on government departments’ specific roles in fighting cyber criminals. He asked how the government can be trusted to help industry when it cannot protect itself. But corporate entities should be taking note, particularly of the services available. While many hesitate to share threat intelligence or even successful attacks, Eric Sporre, deputy assistant director of the FBI’s cyber division, stressed that FBI Director James Comey has made it a directive for FBI field offices to develop relationships with local businesses and to treat businesses as crime victims, not perpetrators. In responding to attacks, he noted, the Bureau sometimes even brings in victim services to holistically approach aiding in the investigation and recovery process.

Andy Ozment, assistant secretary for cybersecurity and communications at the Department of Homeland Security, also highlighted the preventative measures his department offers companies, including personal risk assessment services. In some cases, chief information security officers and other executives engaged in cyberrisk management functions have been getting DHS assessments, using them as a tool to drive investment or otherwise sell cyber upwards with the board or C-suite of their organizations.

Happy Cybersecurity Awareness Month

October is national cybersecurity awareness month. Here at Risk Management magazine, we celebrated by running an eight-page feature on the topic in our latest issue. Over at the Department of Homeland Security, they have launched an online campaign to educate the public on the threat and ways to mitigate the threat.

Atop the webpage for its “Stop. Think. Connect” campaign is the following quote from the president.

“Cybersecurity is not an end unto itself; it is instead an obligation that our governments and societies must take on willingly, to ensure that innovation continues to flourish, drive markets, and improve lives.”

— President Barack Obama

And they also include the handy chart below on ways people can protect themselves.

Increasingly, the government is taking this risk seriously. I heard a presentation by Richard Clarke this summer and he warned that the United States remains woefully underprepared for cyberthreats. That’s probably true, but Washington officials are ramping up their efforts with reforms like the National Cyber Command. And while a web campaign isn’t going to protect the nation against Chinese hackers, Iranian worm attacks or North Korean cyberattacks, it will hopefully help a few people increase their personal safely, even if ever so slightly.

And while that isn’t the major leap forward the nation needs to stay protected in a world in which the digital threat gets scarier everyday, increasing the security of one person at a time is better than nothing.

What Is Resiliency?

When it comes to disasters, prevention is of course better than recovery. But the real world is not paradise and catastrophes will occur. That inevitability means that how companies are able to respond and bounce back might be the most important aspect of disaster management.

Nobody’s perfect — but everyone can be resilient.

But what does that mean? What is resiliency?

Michael Collins of Argonne National Laboratory is helping define it for communities across the United States. And today at the World Conference on Disaster Management in Toronto, he discussed how, along with the Department of Homeland Security (DHS), his agency has been tasked with sending officials throughout the nation to assess how each area stacks up. Ultimately, the goal is to compile an objective, quantitative, comprehensive database so that the government — federal, state and local — has a baseline against which municipalities can be compered. It is an in-depth, long-term project that will greatly aid both DHS and FEMA in determining how communities can become more resistant to disasters.

So far, the “resiliency index” they are developing remains in its infancy. We will bring you more on it in the near future as I flesh out more of the details and get the opportunity to speak with Collins directly.

But as they continue to push things forward, let’s first look at a few of the definitions that Collins shared today in his presentation on what resiliency really means.

“Our goal is to ensure a more resilient nation. One in which individuals, communities and our economy can adapt to changing conditions as well as withstand and rapidly recover from disruption due to emergencies.” – Barak Obama

“The capability to anticipate risk, limit impact and bounce back rapidly through survival, adaptability evolution and growth in the face of turbulent change” – Community & Regional Resilience Institute

“The ability of individuals and communities to deal with a state of continuous, long term stress; the ability to find unknown inner strengths and resources in order to cope effectively; the measure of adaptation and flexibility” – Michael Ganor

“The ability of community members to take meaningful deliberate collective action to remedy the impact of a problem.” – Building Resilience to Mass Trauma Events

“A sustainable network of physical systems and human communities, capable of managing extreme events, during disasters, both must be able to function under extreme stress.” – David R. Godschalk