Verizon's CSO discusses the strike, sabotage, executive security and planning ahead
Verizon has experienced an explosion in the number of acts of sabotage inflicted on its sprawling telecommunications network since August 7, when 45,000 of the company’s union workers went on strike.
And, unfortunately, there’s only so much Michael Mason, Verizon’s chief security officer, can do about it. With “thousands” of vulnerable points among its infrastructure throughout the Northeast and mid-Atlantic regions, it’s impossible to secure every location, said Mason, who spent 25 years at the FBI before joining Verizon in January 2008. “The game favors the offender,” he said.
Security Director News caught up with Mason during the eighth day of the strike to discuss countering sabotage, the vulnerability of telecommunication networks, executive security during protests, working with local law enforcement, and how security directors should plan for a potential strike. The following interview transcript has been edited for clarity and length.
SDN: What challenges do security directors face in the wake of strikes, protests, and other times when sabotage can occur?
Mason: I think one of the biggest challenges is trying to communicate the message that acts of sabotage, acts of verbal or physical assault against management employees, do nothing to advance the cause of the items being negotiated at the table. In our case, where our critical infrastructure is relied upon by much of nation, intentional sabotage to that network can have unintended consequences that I think the person who perpetuated the act may not have planned for or may not have intended. We had a police department, Cedar Grove Police Department [in Cedar Grove, N.J.], taken offline by a malicious cut or by an act of sabotage. It goes without saying, if the police department is taken offline the harm that that does.
The problem we have–my security team, as well as the police and FBI and everybody else who’s helping us–is there are ten times more opportunities to attack the network than there are people to cover them. We can’t have people standing by closets–the things you pass walking your dog in the neighborhood. We can’t assign a police officer or security officer to stand at every one of those things.
And the reality is–just so people understand that we’re not talking about a normal amount of sabotage–in the six months prior [to the strike], we had 46 incidents of sabotage. That roughly equates to about 1.75 per week for that six months. Today is day eight of the strike and we’ve had 143 acts of sabotage and there is no way that you would have that sort of exponential increase in essentially one week–where we historically have 1.75 per week, now we’re at 143 in one week. There is no way those two events are unrelated. No way.
Given the importance of Verizon’s infrastructure, what kind of physical security measures are in place to counter this sabotage?
We have a number of things that we are engaged in to help us identify the perpetrators. Obviously I don’t want to detail those with any granularity ... Again, the targets of opportunity out there far exceed our ability to cover all of them, so we really rely on good people to do the right thing. We’ve enlisted neighborhood watches in some places around the country; we’ve tried to get our story out so if people see somebody not in uniform, not wearing an ID at one of these closets, at one of these hubs, that they might call the police if they think there is anything funny about what’s going on. So we’re trying to enlist the public, because after all the public is impacted as much as Verizon–actually more than Verizon.
Is it financially unrealistic to have each vulnerable point in the network under video surveillance?
It would be way too expensive to engage in that kind of protective umbrella, and it would far exceed in normal times what you need. So for the most part you’d be wasting an awful lot of money.
Do you have any ways of combating these saboteurs, of tracking them down, of somehow holding them accountable? Or is it a lost cause?
I wouldn’t say it’s a lost cause. Like I said, we are doing a number of things now that are fairly sophisticated. But to draw a line from an act of sabotage to a suspect is a very difficult thing. One of the best things you can hope to do is identify potential suspects, put some surveillance on them and hope that surveillance pays off.
What have you learned from this experience and what would you do differently next time?
It just so happens I’m keeping a running tab of lessons learned from the Verizon strike of 2011. A couple of things occurred to me that we are going to do a better job of next time.
When preparing for security details, make it a bottom-up process, not a top down. A lot of what we’ve tried to do has been driven from the top down and what happens is there is miscommunication. For example, we may have contracted for services figuring that every facility would need “X” and then you push that out to the field. It’s resulted in putting things in place that the people at the bottom didn’t need, didn’t want, didn’t ask for. I’m talking specifically about security services. Often times when you operate from the top down you take a solution and apply it enterprise-wide when, in fact, it’s not applicable enterprise-wide and it would be a lot better to drive those kinds of solutions from the bottom up.
Another thing–and these probably all seem pretty fundamental, but in the day-to-day rush of business I suspect a lot of people don’t have this information–you really need to understand where your facilities are located, you need to understand what the relative employee populations are at each location, and the criticality of each location.
I think what we would do next time is we will spend a lot more time thinking about relationships with law enforcement, trying to get everybody on board. One of the problems we’ve had is the impact of blocking management employees from going into our facilities to do the work necessary to service our customers and do work necessary to keep the network viable. [It helps to] get an understanding from the police regarding what they’re going to be able to do and what they’re not going to be able to do. We tend to treat [police] like a fixed, unlimited asset, and they are neither. You have budgetary problems, staffing problems, shift-change problems, all of those things we’ve dealt with. So early on, little things make a big difference. Let’s say the police department shift change is 6:30. Well, it might help to delay the arrival of large populations of employees until 7. And to the extent we can do that and it doesn’t have a negative impact on the customer-facing aspect of the business, we can do those kind of things. So it’s a matter of getting with the department and asking how can we help you, help us, but getting way out in front of those things. That’s one thing we need to do better.
How do you handle executive security during a strike and protests?
There are two answers there. Number one: We don’t want to appear to blanket an executive while we have employees going through that same gauntlet every day. In fact, our CEO is adamant about that. He’s not going to be escorted through anything.
What we have is a tight situational awareness. I wish I could say I get the advance notice I want, but it’s like herding cats. They’ll come to you within an hour and say I’m getting on a plane to go somewhere; I’m getting in a car to someplace. What’s important is they get situational awareness as they’re arriving at the scene. Let’s say it’s just too hot and it would be stupid to have them get out and further inflame the crowd. Then we can just wave them off. But that doesn’t take a security person sometimes; sometimes that can take a manager with whom we’ve worked and say, “Hey, give me a SITREP.” Now the flip side is we don’t want a manager who’s going to see 25 picketers and wave them off because it’s too many people. I mean, we’ve had executives walk through 200 people. What matters is the demeanor of the crowd. We certainly focus on that, but we are expending five times more effort dealing with keeping the rank-and-file employees, who are dealing with these gauntlets every day, safe.
Do you have any final pieces of advice for security directors who might find themselves in similar situations?
If you are in an industry that has many points of vulnerability, the time to start thinking about the drop-down menu of incidents you could face in the wake of a strike call is way out in front–a year, two years, out in front.
I also think if you’re dealing with the potential of a strike, you got to play it as if there’s going to be a strike. And the downside of that is the financial implications. But, you can do a lot of what I’m talking about–you can do a lot of planning–without the disbursement of a lot of resources. For instance, do your facilities have mobile barricades available to deploy the moment a strike is declared? Because one thing I can tell you: It’s a lot easier to start with a containment plan then try to implement one after people have had certain liberties at a facility. So if you can somehow contain where the strikers will be allowed to walk or march, you’re a lot better off then trying to get that genie back in the bottle later. Those are the kind of things I am really going to work on the next time around.