With this in mind, every mailroom manager should take the time to consider if any radical elements would consider attacking their organization to make a statement, and then review emergency procedures with the staff.

 Worst Case Scenario

When reviewing policy, start by measuring planned actions against a possible threat. We must assume that groups considering mailroom terrorism have the willingness and technical “know how” necessary to create and deploy explosives or chemical based IEDs.  The more realistic situation however, would be the use of devices containing non-lethal/non-toxic powders or chemicals designed to create panic or force the evacuation/shutdown of a building or business.  Imagine the chaos that would be created in a scenario such as the forced shutdown of the New York Stock Exchange, causing suspended trading and evacuation into streets currently filled with protesters.

 Unsafe Evacuation

An evaluation of protocols should include a complete assessment of evacuation plans to determine if alternative routes are available that would mitigate the risk of personnel being evacuated into unsafe or chaotic areas, as in the situation described above.  Additionally, threat validation methods should be examined to determine if newer technology or protocols could be employed that would provide near real time screening results, thereby eliminating unnecessary evacuations and panic.

 Awareness First

Above all else, work with internal and external security resources to maintain situational awareness and to ensure that all team members fully understand any threat as it is related to their jobs. Evaluate training and be sure mail borne threats by external sources are covered within it.

Powder in the News

Francis Biden, the younger brother of Vice President Joe Biden, experienced a scare at his residence in Ocean Ridge, Florida, when he opened a manila envelope.  As Mr. Biden opened the envelope, white dust burst out and covered his arms.  Biden had the sense to head immediately to the shower, and was fortunate that the white powdery substance was determined not to be a threat.

The popular TV show Dancing with the Stars experienced a white powder attack in a simple letter addressed to the program.  The white powder was spotted in the CBS Television City mailroom before coming into contact with any show participant.  Mailroom operations were suspended for a few hours while the incident was investigated.  This is not the first time white powder has been discovered in the mail at the CBS Television City Mailroom.  A comparable incident occurred in November of 2010.  Luckily, in both incidents the white powder discovered was not harmful.

The Lesson

Since the anthrax attacks of 2001 white powdery substances sent through direct mail have been used to threaten and scare, as well as disrupt operations, classes and court dates.  Mail safety and awareness are still vital in our mailrooms. 

Links to Articles:

“Officials Seek Source of Powder Sent to Biden’s Brother” http://www.orlandosentinel.com/news/local/fl-biden-ocean-ridge-powder-20111002,0,7154970.story

“White Powder Found in Envelope Addressed to Dancing with the Stars”
http://insidetv.ew.com/2011/09/29/white-powder-found-in-letter-addressed-to-dancing-with-the-stars/

Exploiting the Familiar

In both 9/11 and the anthrax attacks, a system that we once assumed was familiar and safe was turned against us. With 9/11 it was airplanes — the 9/11 attacks took advantage of flaws in US counterterrorism procedures, where passengers have been told to obey hijackers and wait for authorities to resolve the situation.  The anthrax attacks exploited our trust in opening white envelopes.

A key difference – the 9/11 attacks took a team to plan and execute – and a very visible leader. The leader, Osama Bin Laden, had already been on the FBI’s Most Wanted List since 1999. It was only on May 1, 2011, that we were told US Navy Seals had found and killed him.  Amerithrax, as the FBI termed the 2001 anthrax case, was ultimately determined to be the work of one person – one that had even helped the FBI’s investigation. Called “one of the largest and most complex investigations by law enforcement”, it took developing new tests to unlock the DNA of the anthrax to help investigators narrow down the suspect list. The final suspect, Dr. Bruce Ivins, committed suicide in July 2008. The FBI concluded in August 2008 that Ivins was responsible, and formally closed the case in 2010 with many still disputing the evidence.

Disruption

Disrupting terrorists is another major departure. In the case of 9/11, the screening response is to closely control those boarding aircraft, and deal with the terrorists before they board.  In contrast, the approach to the anthrax attacks is to concentrate on mail detection upon delivery, only after it has entered the mail flow.  As a result, both mail facilities and co-located, unrelated, mail can be contaminated, if not fully secured. In Amerithrax, 35 postal facilities and commercial mailrooms were contaminated and the presence of anthrax detected in seven of 26 buildings tested on Capitol Hill. Of the five anthrax-related deaths, two were USPS personnel who worked at the Brentwood mail facility in DC, and at least two others died of anthrax without having received an anthrax-dosed letter.

The Lesson

Perhaps, the most important lesson we can draw from these events is that, while we’ve made great strides in improving our security, our last, best, line of defense remains our own vigilance. Once they understood that their only hope lay in taking action, the passengers of Flight 93 fought back to deny their hijackers a complete victory. Since then, passengers have successfully defended their lives from the Shoebomber in late 2001 and the Underwear Bomber in 2009.

Three thousand people died teaching us this lesson. There is no better way to honor their memory than to heed it.

For those lost in the woods, it’s great to find a map. And 41 CFR 102-192 §70-80 is a good start, but it is not enough. The regulation does not provide validation guidelines or inspection protocols. When it comes time for inspection, many facilities find they have hardly made progress. So now that there is a map, the industry needs a compass – an industry wide set of security requirements designed to maximize the effectiveness of safety measures while minimizing cost and security-related delays.  This is a call for action.

Last month we discussed the urgency of the Al-Quaida threat. While seeking additional mandates, no organization should be waiting for additional regulations to show them the way forward. Here is what mail facilities can do now to establish their own mailroom safety policies:

1. Define Agency/Company objectives.
2. Match requirements to objectives.
3. Keep requirements simple and obtainable.
4. Define compliance standards and inspection guidelines.
5. Establish quality control and assessment standards.
6. Train adequately for each requirement.
7. Require and enforce annual evaluation and reporting standards.

Two tips that have helped both commercial and government organizations successfully set policy:

-          Keep it simple. Complex guidelines create confusion and are open to miss-interpretation.

-          Keep it measurable. There is nothing more frustrating than being asked to achieve an undefined standard.

Commercial organizations can also establish a policy baseline from reviewing 41 CFR 102-192 §70-80. But even federal mailroom employees may not be familiar with these regulation facts:

1. The reporting requirement requires a thorough read to see that annual inspections should be conducted by outside agencies or resources. 
2. This is a top reason for non-compliance — most people assume their facility is covered by their agency’s overarching policy, when it isn’t.

For more information, read 41 CFR 102-192 §70-80.

By:  Keith James

The FBI recently issued a warning regarding the potential for attacks by Al-Qaida against individuals using mail borne bombs or other devices.  The warning, initially referenced in reports by NBC and Fox News (see the links below), was based on a threat issued by al-Qaida in early June that encouraged the use of mail, parcel, and courier services to deliver bombs or other threats directly to individual targets.

 According to an article published by the Investigative Project on Terrorism (IPT) (see “Al-Qaida issues New Mail Bombing Threat”), a non-profit research group, the FBI warning also follows a statement urging “individual jihad” by al-Qaida member Adam Gadahn.  A translation and analysis of the message, published by IPT, explains that this threat is geared toward spurring the  “lone wolf” al-Qaida sympathizer to action, encourages the use of “booby-trapped parcels” and includes a list of potential targets.

The threat is further validated in the November issue of al-Qaida’s Inspire Magazine, which details how the organization “successfully” deployed parcel bombs aboard UPS and FedEx flights.  The issue, titled $4,200, describes how a modest investment by al-Qaida on the Arabian Peninsula (AQAP) fooled ground security with the parcels making it aboard two cargo flights bound for the US.

And this is the wake-up call for our industry — in the companion article “Technical Details” the author points out that al-Qaida is well aware of the capabilities and limitations of mail screening technology.

Successful programs understand this. They constantly evaluate their technical applications and operational processes and gear the evolution of their programs to meet the changing threat.

Key points to remember when evaluating your program include:

1. Conduct annual threat and capabilities assessments.
2. Find the proper blend of technology and operational protocols
3. Integrate robust quality controls
4. Ensure threat awareness is part of the organization’s total training initiative. 

Read More:

Good bargain for us’: Al-Qaida group touts small-scale attacks “To bring down America we do not need to strike big,’ say jihadist magazine editors: MSNBC: November 21, 2010

Possible Al-Qaida Hit List Targets Specific Americans: Jonathan Dienst and Shimon Prokupecz: NBC New York:Thursday, Jun 16, 2011

Al Qaeda – Linked Site Posts “Hit List” of U.S. Targets, Prompting Feds to Send Alert:  Judson Berger: Fox News. Com: June 16, 2011

Al-Qaida Issues New Mail Bombing Threat: IPT News: June 15, 2011  

Al-Qaeda’s Inspire Magazine – Special Edition:  IPT News: November 22, 2010

How can the industry effectively evolve mail screening and security? Technology? Protocols? QA? Training?  You are invited join the discussion below:

• Follow your instincts Concerned about a package? Follow your instincts and DO NOT OPEN IT. Leave the envelope on a flat surface and tell your supervisor.
• For powdersPlace the letter and envelope on a flat surface. Do not attempt to clean up the mess or collect samples.  Move away from the threat but stay in the general area. Do not remove clothing. Notify your supervisor and call 911.
• For potential explosives If holding the package or letter, gently set it down, notify your supervisor, follow procedures to evacuate the area and call 911.
• For threatening messages If you open a letter or package that contains a threatening message but no visible liquid or powder, do not ignore it.  Do not return the letter to the envelope or box. Place the contents and envelop or box together on a flat surface and notify your supervisor.
• For chemicals Place the letter and envelope on a flat surface. Do not attempt to clean up the mess or collect samples.  Move away from the threat, carefully remove affected clothing and evacuate to the nearest decontamination area. Notify your supervisor and call 911.

It is the mailroom manager’s responsibility to ensure that this apathy does not affect the protaection of critical infrastructure. Here are three ways to overcome apathy:

1. Concentrate on solutions that use existing or readily obtainable technology.  Choose the best solution(s), understand the implications, anticipate the objections, know the pros, cons, and costs.
2. Develop exercises and test your facility’s current ability to react to various threats. Challenge security and management team members through the use of creative yet realistic training and exercise scenarios. Include first responders and key management members in your planning, training, and exercises.
3. Seek input from all participants and observers. Be open to participant/observer input. This is a continuous processes not a linear event.  As soon as one evaluation cycle ends, the next begins.   

 For more ways to overcome apathy, read the White paper by Keith James