 |
|
|
|
|
|
 |
Royal Society conference17 November 2005 Science and security - informing NZVenue: Civic Suite, Old Town Hall, Wellington A relatively isolated country like New Zealand faces a wide range of security risks, some large, some small. There are many possible hazards and threats, and increasingly new technological or systemic risks, that could affect people, the economy, the environment, or normal community functions. The Royal Society and scientists can make an important contribution to the development of policy, and discussion on philosophical issues. This conference considered the broader concepts of security and provided a platform for on-going discussion and improved decision-making. It focused on inter-comparison and mitigation across all national security issues, quantification of risk and risk management issues. The conference was sponsored by Biosecurity NZ and the US Embassy. Final Proceedings (1.8MB, PDF) ProgrammePDFs of presentations are linked off the programme below. Some pictures are omitted to reduce file sizes. SESSION 1Geospatial Intelligence: Geoscience Australia’s approach to science and securityP L Mc Fadden Chris Pigram Modern society is a highly complex environment that is critically dependent on a distributed network of independent, mostly privately owned, man-made systems and processes working collaboratively and synergistically to produce and distribute a continuous flow of essential goods and services. These infrastructures are highly interdependent. Individual outages can be serious enough, but this growing degree of interconnectedness can make possible a whole new scale of consequences and these consequences are often non-linear. Outage “ripples” in one infrastructure may cause cascades of economic malfunction. Consequently society can be highly vulnerable when subjected to sudden and unexpected change. The origin or causes of these changes can be either natural or man-made. The issue is not necessarily the nature of these threats, but more importantly, what methods and tools can be employed to mitigate there effects. Because of its history in developing geospatial intelligence to assess the risk of critical infrastructure from natural hazards, Geoscience Australia has been co-opted by Government to extend the applications to a security context. Geospatial Intelligence is a vital capability that underpins all four key areas of mitigation: planning, preparedness, response and recovery. The approach requires a thorough understanding of the hazard, the resulting exposure and consequently the vulnerability, which is then used to develop a mitigation strategy based on an assessment of the risk. The approach is based on high-quality inputs in the form of data (fundamental spatial and aspatial data describing the existing geographic, natural, social, political, economic, and built environments), information (e.g., individual systems dynamics, business processes, site specific issues, commercial realities), and relationships (to identify interdependencies and to be able to model the environment). These inputs then provide a basis for analysis and intelligence to be developed so that the risk can be assessed. Overall the approach allows for more rigorous geographic modelling and analysis for risk assessments by facilitating a geographic aspect to “data mining” and hence a geographic context for decision support. It is then possible to assess the vulnerability to disruption of interconnected systems and evaluate consequences and effectiveness of mitigation strategies through iterative scenario development and modelling to test planning and response options. Presentation (pdf) Risk management methods for national security issuesPatrick Helm Security issues present difficult challenges for several reasons. They are inevitably complex; they are usually unpredictable or characterised by high levels of uncertainty; and they tend to have multiple contributing factors, often with complicated interdependencies. For central government there is no more important responsibility than ensuring the safety and well-being of its sovereign society, yet the management of national security is still more an art than a science. No nation has yet been able to develop an omnibus or overarching strategy to control all of its national security risks. Security concerns have traditionally been managed individually and conservatively by community leaders using collective judgement and commonsense responses—often after disasters strike. Because major crises occur relatively infrequently, there is usually little recent experience among decision-makers. Where security planning has happened, it has typically been based on policies of risk avoidance rather than risk management. But a number of new factors are emerging that are influencing national security environments the world over and increasing the demands for more scientific approaches to managing security. These are not just the threats from new forms of malevolence, but rather an increasing array of new societal and systemic risks. People globally are pressing their boundaries; communities are becoming more complicated; and demographic changes are creating new security issues as people concentrate in ever larger cities or occupy hazard-prone areas. New classes of risks are developing that are inadequately understood. As communities become more reliant on very advanced technologies; as they accept the economies of “just in time” production without understanding the limitations or assumptions; and as they increase their dependency on closely coupled infrastructural systems, their vulnerability widens. In such situations there are opportunities for unexpected synergies to develop between otherwise independent risks, and the scale of potential disaster is magnified. In the past decade risk analysis and control techniques have evolved to the point where they can now contribute significantly to the management of many classes of risk. Such strategies of themselves cannot guarantee national security because of the role that chance and uncertainty play. But in conjunction with good science and comprehensive management, risk assessments can help illuminate the problems; contribute to an understanding of component risks; expose inter-relationships between factors; point to promising control options; and inform the allocation of resources to achieve maximum benefit from mitigation or counter-measures. Increasingly complex risks will invariably require increasingly complex solutions. Scientific methods have much to contribute, not just to the analysis, but to the mitigation and management of these new security risks. Presentation (pdf) Science and biosecurity—monitoring the effectiveness of biosecurity interventions at New Zealand’s bordersCarolyn Whyte Last year, more than 4 million travellers, more than 45 million pieces of mail and over half a million sea containers arrived in New Zealand. MAF has processes for managing the biosecurity risks associated with these and other entry pathways, including regulatory and operational requirements. Import health standards specify the criteria that permitted risk goods must meet before entry clearance can be given. Operational standards specify the requirements for clearance of mail, passengers, craft and containers. Trained inspectors work at New Zealand’s ports and airports, undertaking inspections and operating specialist technology such as x-ray machinery. But will these pre-border and border measures be enough? Surveillance programmes give early warning for a variety of exotic organisms, but not for all. We know that achieving zero risk is impossible and that some slippage will occur, but how well are our current interventions working, and what level of biosecurity risk is slipping through our border and pre-border defences? In order to address these questions, the recent restructuring of MAF Biosecurity Authority into Biosecurity New Zealand saw the creation of the Biosecurity Monitoring Group. This group, part of Biosecurity New Zealand’s Pre-Clearance directorate, is tasked with measuring slippage on pathways of entry, identifying gaps that exist in current systems, assessing trends in pathway risks, and developing options for mitigating pathway risks. Recent work by the group includes a survey of arriving international mail, surveys of international air passengers at Auckland, Wellington and Christchurch airports, and monitoring the results of sea container inspections to develop container risk profiles. On-going work will develop and monitor measures of slippage for all entry pathways. The way in which slippage is measured must give a quantity of various risk goods entering New Zealand, rather than a percentage detection. The percentage of possible detections that are actually made is a useful figure from an operational standpoint, but does not address the issue of increasing volume. The result of an 80% detection rate may be acceptable now, but if volumes doubled, the quantity represented by the 20% missed would also double. Therefore, the Biosecurity Monitoring Group estimates the quantity of risk material arriving on a pathway that is not intercepted. As the quantity is made up of diverse types of items (e.g., fresh fruit, meat products, live animals and plants, contaminant organisms), a rating scale is applied to give a weighting in “risk units” to each missed risk good, based on its perceived impact to New Zealand’s economy, environment and health. The measurement of slippage in risk units then becomes an indicator that can show changes in slippage over time, differences among pathways and among seasons. The concept will in time be used to evaluate the cost-effectiveness of biosecurity interventions and to assist in prioritising pathways for investment. Presentation (pdf) SESSION 2Earthquake risk assessment: from scientific research to risk management decisionsWarwick Smith The task of earthquake risk assessment is one of combining the findings from three separate areas of research, and of presenting the results in a way that provides a useful basis for risk management decision-making. Seismological studies of where, how large and how often earthquakes occur throughout the country provide an earthquake source model, which estimates the probability that future earthquakes will occur. Seismological analyses of the severity of strong ground motion in earthquakes provide a hazard model, which gives the probability that any given location will experience strong shaking. Engineering studies of the effects of strong shaking on various types of buildings, when combined with the hazard data, give estimates of the probability that there will be damage. The purpose of risk assessment is to provide an objective basis to underpin risk management decisions. Insurance is one aspect of risk management that relies heavily on risk assessment and modelling: How much damage is likely? How likely? Asset owners need to be able to compare the possibility of loss with the cost of insurance premiums. Insurance companies need to know how much to charge, and how much they should pay for reinsurance. But there are other aspects of risk management. Mitigation measures are expensive. Are they worth it? What reduction in the risk can be achieved? These risk management decisions need good risk assessment to underpin them. The analysis procedures to provide that assessment are built on detailed scientific and engineering research. Presentation (pdf) Forensic Isotope Ratio Mass Spectrometry—a new type of evidenceRussell Frew Currently within a court of law if two substances correspond in composition and structure, it may be concluded they are chemically the same. Where two substances are chemically the same their origin and/or history may be different. Providing evidence of common origin/ history may be crucial to the outcome of a trial. Isotope Ratio Mass Spectrometry (IRMS) used in forensics utilises a technique already widely used in research, whereby a multidimensional plot of component stable isotope ratios within a substance is used to characterise the substance by composition. This is achievable because the isotopic profile of a substance is unique to its origin and history. Manufacturing and/or biological processes can result in the formation of products whose stable isotope composition is characteristic of a process or region. When two separate samples are chemically the same and have identical isotopic profiles there can be a very high level of certainty that both originate from the same source. IRMS has been used to determine the origin of explosives and accelerants from the trace residues collected from the scene. Bioterrorism and biosecurity applications involve determining the country or region of origin of the organism of concern. The isotope ratios preserved in body tissues such as hair or nails record conditions at the time that tissue was formed thus potentially yielding a record of the movement of that individual. IRMS is thus an extremely important technique that can both support other
analyses and provide further evidence that otherwise would not be available.
The only current drawback is that the forensic application of IRMS is relatively
new and significant research and method validation is required to ensure admissibility
and relevance of any data tendered. However, there are vast applications for
intelligence gathering and the elimination of lines of questioning. Presenation (pdf) The evolving risks to biosecurity in New Zealand—how do we build an effective response and research strategy?Roger Morris The three main mechanisms by which disease risks occur are incursion of a well-known disease or pest, emergence of a new disease, or evolution of an old disease. All three categories of risk are very dynamic, and a response and research strategy must deal with this constantly changing situation. Traditionally incursion has been seen as the principal threat to countries, although trade and terrorism have taken over from passengers as the highest priority categories of risk for introduction of pests and diseases. However most of the major diseases of global importance in recent times have emerged (AIDS, BSE, SARS) or evolved (avian influenza H5N1), and response strategies need to be targeted to these risks as much as to incursions of well-known agents—especially since by definition the epidemiology of these agents is quite uncertain and hence they create greater fear and concern. Their trade implications can therefore be out of proportion to their direct impact. These diseases are not random events, but fall into a limited number of disease types, which I call epitypes. The defining features of likely novel disease risks will be described, and examples given of the issues which arise in responding to novel disease events. Increasingly, such incidents occur at the interface between natural ecosystems and either agricultural ecosystems or other human activities, which requires a different scientific approach from traditional military style “stamping out” of disease. Biosecurity incidents typically generate considerable political tension between successful control based on scientifically accurate information and short-term management of the incident in the perceived national self-interest. As information dissemination has become increasingly rapid and effective, this tension has come to dominate decision-making, and has seriously undermined sound disease control decisions in many countries over recent years. Illustrations of these problems and their consequences will be provided. In New Zealand, biosecurity is a high national priority because of our dependence on agricultural exports, yet national research investment in this area has been very limited, and poorly targeted to the real issues of importance, due to weaknesses in the decision-making processes. The response and research strategies in biosecurity are closely intertwined, and we need to build a joint framework to ensure that New Zealand is well placed to handle the types of events we are likely to face in the future. Failings in surveillance and detection have been the main weaknesses of the New Zealand response system in recent years, and there needs to be a rebalancing between traditional border control measures and more innovative surveillance and response capability, based on sound research evidence rather than subjective judgments. A strategy for achieving this will be outlined. Presentation (pdf)SESSION 3What can social science contribute to human security?Sabina Brendel-Lautensach Curiously, the explanation is rooted in the natural sciences. Humans, as all other animals, extract their livelihood from ecosystems. What sets us apart from other animals is our unique propensity to modify ecosystems through our behaviour. The factors that determine human behaviour range from the political, socioeconomic, and cultural, to the psychological and moral domains. Through the study of those factors social scientists contribute descriptive models that help us understand why we do the things we do. The need for such an understanding is now greater than ever. Caused largely by human behaviour, the global environmental crisis is threatening the ecological basis for the continued flourishing of humanity. I will first present a new, more comprehensive concept of human security that includes not only its traditional aspects of strategic-military security, socio-economic welfare, social justice and public health, but extends into the stability of environmental support structures. One capacity in which social science can contribute to our understanding of human security is through the analysis of human behaviour and its determinants, and how such behaviour could be modified to address the threats to human security. Changes to policies must address the sociopolitical context of human behaviour as well as dominant beliefs, attitudes and values. Another contribution comes from the analysis of social structures and the ways in which they change over time. Partly fueled by the global environmental crisis, this change is now proceeding globally at an unprecedented scale. Understanding the social dimension of projected changes will help with scenario building and the design of proactive measures towards mitigation and adaptation. A third area of contribution lies in the analysis of implicit assumptions, beliefs, attitudes and values that lie hidden in the discourse of scientific analysts and of the decision-makers. The only way by which we as academics can hope to make sufficient progress in sufficient time is by combining our areas of expertise. This requires considerable effort from individuals as the traditional disciplinary and administrative divisions often hinder the academy in properly facilitating such collaboration. Thus, even though the social sciences are making significant contributions to human security, only their integration with the contributions from the natural sciences and the resulting synergistic effect will allow for their full potential to be utilised. Presentation (pdf)Bridging the gaps: a challenge in public risk managementTerry Day In New Zealand both central government and local government have responsibilities in public risk management. New Zealanders have a justified expectation that governments will organise themselves efficiently to deal with public risk. Central government does so by setting legislation and policy that dictates roles, responsibilities and functions for itself and for local government. Local government structures itself and approaches its legislated responsibilities within the needs and capacities of its community. In the decade-old process of restructuring in both levels of government some apparent disadvantages have arisen. The systemic risk that results must be managed. This is a risk that affects the entire system, not just specific elements, and where a default in one element will have repercussions on other elements due to their interlocking nature. The trend to smaller, more isolate and independent organisations clearly creates challenges for working together on public risk issues. The legislative and policy role of central government versus the service delivery role of local government can create disassociation on critical public risk matters. This challenge is becoming more acute as the nature of disaster events, natural and manmade, is varying. Evidence shows a trend of disasters increasing in their societal impact as hazard frequency and magnitude increase. The impact of these changes is being magnified as communities become more concentrated and their infrastructure (for example, water supply, communications and financial and medical services) more complex, interlocked and interdependent. Using the recent Hurricane Katrina experience in the United States as a backdrop, three different New Zealand case studies relevant to public risk management, including a national re-examination of flood risk management, are presented to illustrate issues that arise from the current approach. Little public accountability exists in the difficult-to-manage zones amongst government organisations. While successes in managing systemic risk certainly occur, these appear to depend too much on individual leadership. Where this is lacking, there is no safety net for the community at risk. Presentation (pdf) Planning for pandemic fluKaren Poutasi The World Health Organisation (WHO) is increasingly concerned that H5N1 avian influenza in South East Asia may lead to a worldwide pandemic in humans. Even if this particular pandemic does not occur, epidemiologists predict another influenza pandemic is “not if, but when”. Pandemic influenza will have the highest impact of any likely New Zealand health emergency. A very large proportion of the population could be affected either directly or through sickness in their families, and impacts are likely to be felt throughout the whole of our society for an extended period. Good advance planning is clearly essential in order to minimise impacts, foster endurance and speed recovery. New Zealand’s pandemic planning aims to embrace all central and local government agencies, district health boards, Primary Health Organisations, NGOs, industry, and community groups of all kinds. Responses need to be well planned in advance, while retaining flexibility to adjust to the actual circumstances as they develop. A number of individual workstreams and actions have contributed to the current state of readiness, and several separate but linked workstreams will continue to develop our readiness over the next year and beyond. The Ministry has established a number of different workgroups, from the internal Pandemic Emergency Group (PEG) to oversee and coordinate pandemic planning for the Health sector, to the Pandemic Influenza Technical Advisory Group (PITAG) to provide expert clinical, virological, epidemiological, infection control and ethical advice to inform Ministry pandemic response planning. Health sector agencies are further being consulted via the Pandemic Influenza Reference Committee (PIRC), and in terms of the wider government sector, the Ministry is engaging agencies through the Interagency Planning Group (IPG). The IPG coordinates eleven workgroups addressing critical areas of the national pandemic response, each led by a key government agency. The Ministry is also engaged in an extensive work programme covering a whole range of issues pertinent to pandemic flu, for example, personal protective equipment (PPE), antivirals and vaccines, public health interventions, guidelines for primary care, and health education for the public. We have also revised and updated our Influenza Pandemic Action Plan in line with the new WHO guidelines, and added our own five-stage strategy of ‘plan for it, keep it out, stamp it out, manage it, recover from it’. Communications are key to public confidence and planning for pandemic flu is a key example of “Science and Security—Informing New Zealand”. Presentation (pdf) Internet security as risk management: beyond firewalls to crime and force majeureJohn Quarterman Traditional Internet technical security is good and necessary, but no longer sufficient. Attacks from outside the firewall used to be by bored script kiddies trying to impress their teenage friends. No longer. A few years ago, perpetrators discovered there is money in it. Nowadays bot herders get root on zombies so they can sell them to spammers, phishers, and pharmers, who may be anyone from Russian Mafia to individual entrepeneural criminals paying the mortgage. Crimes of negligence are on the rise; the record so far in 2005 for disclosing personal identities is 40,000,000 by a single organisation. Meanwhile, reputable researchers estimate $50 billion USD economic damages are possible through a single worst-case worm, and some big-company CEOs think they face $100 billion risk worldwide. Widespread worms, power outages, congestion, meteorological hurricanes: all these can act as force majeure events that affect many organisations. Fortunately, there are solutions beyond technical security, starting with backups, redundancy, and diversity. Further solutions include financial risk transfer instruments. Every public building has some sort of fire control mechanism, such as a sprinkler system, because insurers require it for fire insurance. Internet business continuity insurance is already available, and will improve over time. Catastrophe bonds are widely used for retrocessional coverage (which insures reinsurance which insures insurers) of hurricanes, earthquakes, and wildfires, and can be adapted to Internet insurance to handle the problem of aggregation, as in the case of a worst-case worm. Performance bonds are used by electric utilities to cover brownouts, and can be adapted to ISPs for SLAs. All these financial risk transfer instruments will involve requirements for more use of technical security. Reputation systems can also help. Organisations such as the Anti-Phishing Working Group (APWG) publish statistics on phishing and pharming and related exploits. This can go farther. Governments are getting into the act. Compliance laws such as SOX, GLBA, HIPAA, DPD, and PIPEDA may help, but seem to me to address the symptoms, not the causes. The banking industry's Basel II is also detailed, but seems to address the underlying problem of corporate culture and ethics perhaps somewhat better. Standards such as the U.S. NIST's FISMA and ISO 17799 also help. Legal solutions are preferable to what happened to the biggest spammer in Russia. In the United States, some high-profile spammers have been convicted recently; this may provide some deterence. In sum, aggregate damage requires collective action. Building higher forts around individual organizations is no longer sufficient. Cooperation in information and action is also required. Presentation (pdf)
|
|
