10 years after the first anthrax attacks, white powder remains the most common threat to the mailroom.  While most of these threats are hoaxes using flour or cornstarch – and some may pose active threats, they must all be taken seriously. In 2008 over a dozen U.S. embassies were disrupted by powder and caused international concern, while in 2009 a mailroom was evacuated when powdered doughnuts spilled onto the mail.

Powder in the News

Francis Biden, the younger brother of Vice President Joe Biden, experienced a scare at his residence in Ocean Ridge, Florida, when he opened a manila envelope.  As Mr. Biden opened the envelope, white dust burst out and covered his arms.  Biden had the sense to head immediately to the shower, and was fortunate that the white powdery substance was determined not to be a threat.

The popular TV show Dancing with the Stars experienced a white powder attack in a simple letter addressed to the program.  The white powder was spotted in the CBS Television City mailroom before coming into contact with any show participant.  Mailroom operations were suspended for a few hours while the incident was investigated.  This is not the first time white powder has been discovered in the mail at the CBS Television City Mailroom.  A comparable incident occurred in November of 2010.  Luckily, in both incidents the white powder discovered was not harmful.

The Lesson

Since the anthrax attacks of 2001 white powdery substances sent through direct mail have been used to threaten and scare, as well as disrupt operations, classes and court dates.  Mail safety and awareness are still vital in our mailrooms. 

Links to Articles:

“Officials Seek Source of Powder Sent to Biden’s Brother” http://www.orlandosentinel.com/news/local/fl-biden-ocean-ridge-powder-20111002,0,7154970.story

“White Powder Found in Envelope Addressed to Dancing with the Stars”
http://insidetv.ew.com/2011/09/29/white-powder-found-in-letter-addressed-to-dancing-with-the-stars/

This month, Americans commemorate the 10^th anniversary of the 9/11 and the anthrax attacks. We looked at both events to see what we could learn and found surprising similarities, and one stark conclusion.

Exploiting the Familiar

In both 9/11 and the anthrax attacks, a system that we once assumed was familiar and safe was turned against us. With 9/11 it was airplanes — the 9/11 attacks took advantage of flaws in US counterterrorism procedures, where passengers have been told to obey hijackers and wait for authorities to resolve the situation.  The anthrax attacks exploited our trust in opening white envelopes.

A key difference – the 9/11 attacks took a team to plan and execute – and a very visible leader. The leader, Osama Bin Laden, had already been on the FBI’s Most Wanted List since 1999. It was only on May 1, 2011, that we were told US Navy Seals had found and killed him.  Amerithrax, as the FBI termed the 2001 anthrax case, was ultimately determined to be the work of one person – one that had even helped the FBI’s investigation. Called “one of the largest and most complex investigations by law enforcement”, it took developing new tests to unlock the DNA of the anthrax to help investigators narrow down the suspect list. The final suspect, Dr. Bruce Ivins, committed suicide in July 2008. The FBI concluded in August 2008 that Ivins was responsible, and formally closed the case in 2010 with many still disputing the evidence.

Disruption

Disrupting terrorists is another major departure. In the case of 9/11, the screening response is to closely control those boarding aircraft, and deal with the terrorists before they board.  In contrast, the approach to the anthrax attacks is to concentrate on mail detection upon delivery, only after it has entered the mail flow.  As a result, both mail facilities and co-located, unrelated, mail can be contaminated, if not fully secured. In Amerithrax, 35 postal facilities and commercial mailrooms were contaminated and the presence of anthrax detected in seven of 26 buildings tested on Capitol Hill. Of the five anthrax-related deaths, two were USPS personnel who worked at the Brentwood mail facility in DC, and at least two others died of anthrax without having received an anthrax-dosed letter.

The Lesson

Perhaps, the most important lesson we can draw from these events is that, while we’ve made great strides in improving our security, our last, best, line of defense remains our own vigilance. Once they understood that their only hope lay in taking action, the passengers of Flight 93 fought back to deny their hijackers a complete victory. Since then, passengers have successfully defended their lives from the Shoebomber in late 2001 and the Underwear Bomber in 2009.

Three thousand people died teaching us this lesson. There is no better way to honor their memory than to heed it.

10 years after the Anthrax attacks of 2001 the mail industry is still searching for definitive security standards. Mail handlers were wandering through the woods without a map for seven years when the department of Homeland Security introduced 41 CFR 102-192 §70-80. This is a mandated regulation that sets uniform minimum security requirements for federal mailrooms to establish annually-verifiable mail screening and emergency protocols. (See below for two surprising facts about 41 CFR 102-192 §70-80 compliance.)

For those lost in the woods, it’s great to find a map. And 41 CFR 102-192 §70-80 is a good start, but it is not enough. The regulation does not provide validation guidelines or inspection protocols. When it comes time for inspection, many facilities find they have hardly made progress. So now that there is a map, the industry needs a compass – an industry wide set of security requirements designed to maximize the effectiveness of safety measures while minimizing cost and security-related delays.  This is a call for action.

Last month we discussed the urgency of the Al-Quaida threat. While seeking additional mandates, no organization should be waiting for additional regulations to show them the way forward. Here is what mail facilities can do now to establish their own mailroom safety policies:

1. Define Agency/Company objectives.
2. Match requirements to objectives.
3. Keep requirements simple and obtainable.
4. Define compliance standards and inspection guidelines.
5. Establish quality control and assessment standards.
6. Train adequately for each requirement.
7. Require and enforce annual evaluation and reporting standards.

Two tips that have helped both commercial and government organizations successfully set policy:

-          Keep it simple. Complex guidelines create confusion and are open to miss-interpretation.

-          Keep it measurable. There is nothing more frustrating than being asked to achieve an undefined standard.

Commercial organizations can also establish a policy baseline from reviewing 41 CFR 102-192 §70-80. But even federal mailroom employees may not be familiar with these regulation facts:

1. The reporting requirement requires a thorough read to see that annual inspections should be conducted by outside agencies or resources. 
2. This is a top reason for non-compliance — most people assume their facility is covered by their agency’s overarching policy, when it isn’t.

For more information, read 41 CFR 102-192 §70-80.

Hazardous envelopes and packages typically have no outward telltale signs. That’s why everyone handling mail should know how to react the right way to each type of attack.

• Follow your instincts Concerned about a package? Follow your instincts and DO NOT OPEN IT. Leave the envelope on a flat surface and tell your supervisor.
• For powdersPlace the letter and envelope on a flat surface. Do not attempt to clean up the mess or collect samples.  Move away from the threat but stay in the general area. Do not remove clothing. Notify your supervisor and call 911.
• For potential explosives If holding the package or letter, gently set it down, notify your supervisor, follow procedures to evacuate the area and call 911.
• For threatening messages If you open a letter or package that contains a threatening message but no visible liquid or powder, do not ignore it.  Do not return the letter to the envelope or box. Place the contents and envelop or box together on a flat surface and notify your supervisor.
• For chemicals Place the letter and envelope on a flat surface. Do not attempt to clean up the mess or collect samples.  Move away from the threat, carefully remove affected clothing and evacuate to the nearest decontamination area. Notify your supervisor and call 911.

In the first years after the lethal anthrax attacks of 2001, security measures abounded. Flash forward to today; critical infrastructure security programs designed to safeguard the foundations of the government are viewed as intrusive, unnecessary and a financial burden. Many of us have returned to our pre 9-11 comfort zone, going about our day without giving security a second thought.

It is the mailroom manager’s responsibility to ensure that this apathy does not affect the protaection of critical infrastructure. Here are three ways to overcome apathy:

1. Concentrate on solutions that use existing or readily obtainable technology.  Choose the best solution(s), understand the implications, anticipate the objections, know the pros, cons, and costs.
2. Develop exercises and test your facility’s current ability to react to various threats. Challenge security and management team members through the use of creative yet realistic training and exercise scenarios. Include first responders and key management members in your planning, training, and exercises.
3. Seek input from all participants and observers. Be open to participant/observer input. This is a continuous processes not a linear event.  As soon as one evaluation cycle ends, the next begins.   

 For more ways to overcome apathy, read the White paper by Keith James