Lessons of Sept. 11Ex-NY Police Investigator Reflects on What We've Learned
"As an example let's look at the recent hurricane [Irene] that hit the east coast," says Sullivan, who spent months cleaning up at Ground Zero in New York City in 2001, and who now serves as the director of AMLtrainer.com, an anti-money-laundering policy and training academy. "You ask the question, 'How far have we really come in our emergency preparedness when this relatively small hurricane hits the east coast and it shuts us down for awhile?'"
Sullivan recommends three areas of improvement for organizations looking to progress their disaster preparedness:
- System of Vertical and Horizontal Communications - The system could be accessed and shared by all levels of government authority, Sullivan says. "You would have thought that after 9/11 we would have had something like that, but then along came Hurricane Katrina and we realized that we still had some major issues in coordination and communication."
- Critical Incident Planning and Preparation - This should be commonplace by all agencies, both government and private, and practiced, Sullivan explains. "When a critical incident comes along, people will always revert back to what they learned and practiced in how they were trained," he says in an interview with BankInfoSecurity's Tracy Kitten [transcript below].
- Top-Down Approach - The heads of government and organizations need to lead by example. "Critical incident response has to be bought in to by the people at the top of each organization," Sullivan says.
Also in his interview, Sullivan discusses:
- Why lingering infrastructural vulnerabilities still need to be addressed;
- The fluid approach to disaster preparedness;
- The critical role communications play in adequate and timely response.
Sullivan is a former Investigator with the New York State Police and was the state investigations coordinator assigned to the NY HIFCA El Dorado Task Force in Manhattan. He has more than 20 years of police experience and holds a master's degree in economic crime management. He is a certified anti-money laundering specialist and anti-money laundering professional. He is also the director of AMLtrainer.com, am AML policy and training academy.
Memories from 9/11TRACY KITTEN: You now work as an independent specialist who focuses on anti-money laundering measures banking institutions and others in the financial arena should embrace and practice, but before going out on your own you spent about 20 years of your career in law enforcement and you were working as an investigator with the New York State Police on Sept. 11, 2001 when the World Trade Center was attacked. You have a unique perspective that's personal as well as subjective. You and I have spoken in the past about your experiences that day, but for those members of our audience who have not been privy to some of those discussions, could you tell us a bit about your experience on 9/11?
KEVIN SULLIVAN: I consider myself as being very, very lucky that morning, as it was just by the grace of God that I was in court testifying and not in the office which was just a few blocks away from the World Trade Center, where I would have been on the scene trying to help out just before the towers fell. I'll never forget the eerie quiet on the street, the hideous odor in the air and the sight of ten stories of rubble all around me. I distinctly remember thinking to myself: Where are all the desks? Where's the office furniture, the copy machine or any reminiscence of what was once there? All I could see was dust, high-beams and rebar, and more and more dust. It seemed that everything that once was, was now pulverized. Every day at the site I would get a knot in my stomach and then I would feel terribly guilty as I realized that there are a lot of people who died and a lot of people who lost family, friends and loved ones. And yet I came away relatively unscathed which in turn makes me feel quite uneasy talking about this.
Preparedness Pre-9/11?KITTEN: I can understand that. You and I have talked about some of the things that have changed since 9/11. From an incident response perspective, how prepared were we to respond to an attack like 9/11?
SULLIVAN: Well I will probably say the incident range has left a lot to be desired. We were not prepared to deal with our vulnerabilities. We have always been a free society, secured by oceans away from international terrorism and when it came to our doorstep it was quite the wake-up call. What was truly amazing is that after a brief period of time right after 9/11, everyone seemed to function as one without regard to political motivation or selfishness. It's just too bad that didn't last.
KITTEN: What lessons have the banking industry or banking institutions individually, governments, hospitals, etc., learned since 9/11?
SULLIVAN: For our force we realized we can no longer purely be reactive, and instead we created proactive units and special details, everything from intelligence systems to beefing up physical security, and investing heavily in manpower for the expanding counter-terrorism units. As far as the financial institutions, it was important to consider back-up and redundancy from an IT perspective and the fattening up of physical security. And of course from an AML perspective, the financial world changed immediately and most certainly with the creation of the Patriot Act as we started a new course and developed methods to detect and deter money laundering and terrorist finances.
Incident Response Pros and ConsKITTEN: We've talked a little bit about some of the things that have changed, but where have we made improvements in our response and recovery specifically?
SULLIVAN: It's been a lot of varied improvements, but I think the greatest improvement of all is in our awareness. We all now realize what can happen and may happen again, and if the terrorists had their way they would make 9/11 look like small potatoes. We need to continue our investment in anti-terrorism and all fields have been better and not deterred by complacency. The problem is that we need to be right all the time, but they only need to be right once.
KITTEN: Right, and when you take a step back and you think about some of the things that we've done and some of the things that we may need to do, what more needs to change? What more could we be doing?
SULLIVAN: We need a system of vertical and horizontal communications that can be accessed and shared by all levels of government authority. You would have thought that after 9/11 we would have had something like that, but then along came Hurricane Katrina and we realized that we still had some major issues in coordination and communication. Critical incident planning and preparation should be commonplace by all agencies, both government and private, and finally practiced. When a critical incident comes along, people will always revert back to what they learned and practiced in how they were trained. I know I certainly made fun of all the fire drills in school and all that "sky is falling" .... When it became real the response became second nature.
KITTEN: In what industries do you see the greatest challenges? Where do you see those industries struggling the most when it comes to disaster recovery?
SULLIVAN: I think everything needs to begin with a top-down approach. Critical incident response has to be bought in to by the people at the top of each organization, and from a much larger perspective from the heads of our government. They all must lead by example.
Financial Institutions and Disaster RecoveryKITTEN: That's a good point because I was going to ask specifically about some different industries, and of course government is one of them. But before I move into that line of questioning, I wanted to ask about the financial services perspective. There are so many different entities, as you've touched on earlier, such as transaction processors, networks, the banking institutions themselves, they all must maintain communication as well as the ability to function, and it's easy for infrastructural hiccups to occur during times of disaster. How has the financial services industry specifically changed the way it does business since the 9/11 attacks?
SULLIVAN: [With] so many variances by institutions, I certainly can't speak for them all. I often wonder how the little guys manage to keep up because it costs so much money to be involved in this stuff. One of the concerning complaints from some of the little guys is that it costs too much to buy software and to keep up with this stuff. But the big players have all developed multiple redundancies to protect their information and constructed at various physical locations and different areas of the country to protect against a disaster in one particular locale. Then further, most of them have developed some sort of strategic planning for critical incident response.
KITTEN: What about other sectors such as government, healthcare and telecommunications? Where have they made improvements to ensure not only communication but also the ability to continue functioning and operating at acceptable levels?
SULLIVAN: I think it's still a very big work in progress, and as an example let's just look at the recent hurricane that hit the east coast. I have a friend in New Jersey who just got his power back the other day after over a week of no power. I know the phones are out. Mine were out for a while and other people are out and communications were looted. So you ask the question, "How far have we really come in our emergency preparedness when this relatively small hurricane hits the east coast and it shuts us down for a while?" I can't really say, but it certainly does not appear that we have all our ducks in a row just yet.
'We Were Absolutely Caught off Guard'KITTEN: Right, that's a good point. Now going back to talk about 9/11 specifically, would you say that we were caught off guard, and do you see current vulnerabilities that could lead to us being caught off guard again?
SULLIVAN: Oh yeah, we were absolutely caught off guard. We were far too complacent and yes there are vulnerabilities that can be exploited. However, with all due respect, I just refuse to be the guy that talks about a sensitive vulnerability that in turn enables some idiot to go out and do or get the idea to do something stupid or some bad deed. Some of the stuff I'm going to keep to myself. I hope you don't mind that.
KITTEN: No, that's completely fine. Before we close, what final thoughts would you like to leave our audience with generally as it relates to this anniversary of 9/11 or disaster recovery generally?
SULLIVAN: I thought you might ask this question, so I kind of had to think about it for a second. I thought that the best response is actually not one from me. It's to quote someone who is much, much smarter than I am and that's Winston Churchill. Churchill said, and let me quote this, "A man does what he must - in spite of personal consequences, in spite of obstacles and dangers and pressures - and that is the basis of all human morality. When good people in any country cease their vigilance and struggle, then evil men prevail." I can't say anything better than that.