Twenty-five years ago, a truck bomb detonated in front of a federal building, killing at least 168 people and injuring more than 680 people. How did enterprise security change after the event?
At 9:02 a.m., on the morning of April 19, 1995, a truck bomb, containing more than 4,800 pounds of ammonium nitrate fertilizer, nitromethane and diesel fuel mixture, detonated in front of the north side of the nine-story the Alfred P. Murrah Federal building in Oklahoma City, Okla. The bombing killed at least 168 people, injured more than 680 others and destroyed one-third of the building. The blast destroyed or damaged 324 other buildings within a 16-block radius, shattered glass in 258 nearby buildings and destroyed or burned 86 cars. The bombing left behind an estimated $652 million worth of damage.
The bombing remains the deadliest domestic terrorist attack in the history of the U.S. and had long-lasting impacts on security. As a result of the bombing, the U.S. Congress passed the Antiterrorism and Effective Death Penalty Act of 1996, which tightened the standards for habeas corpus in the U.S., as well as legislation designed to increase the protection around federal buildings to deter future terrorist attacks.
In the weeks following the bombing, the federal government ordered that all federal buildings in all major cities be surrounded with prefabricated Jersey barriers to prevent similar attacks. Most of those temporary barriers have since been replaced with permanent security barriers, which are driven deep into the ground for sturdiness.
President Clinton directed the Department of Justice (DOJ) to assess the vulnerability of federal facilities to terrorist attacks or violence and to develop recommendations for minimum security standards. A Vulnerability Assessment of Federal Facilities, published just 60 days after the bombing, recommended security standards, such as perimeter security, entry security, interior security, security planning, and different security levels for federal facilities to fit unique security needs.
After the report, President Clinton directed all executive branch agencies to begin upgrading their facilities to meet the recommended minimum security standards per the report. All federal buildings now must be constructed with truck-resistant barriers and with deep setbacks from surrounding streets to minimize vulnerability to truck bombs. Among the other 52 security improvements recommended and since implemented were closed-circuit television monitoring, site planning and access, hardening of building exteriors to increase blast resistance, glazing systems to reduce flying glass shards and fatalities, visitor control and screening systems, guards, perimeter lighting, magnetometer or x-ray screening.
“The city of Oklahoma bombing was really a shock to our nation – and also a wake-up call of an evolving domestic terrorism threat,” says Brian Harrell. Harrell is Assistant Director for Infrastructure Security within the new DHS Cybersecurity and Infrastructure Security Agency (CISA). “There were a number of security gaps and some lessons learned that are still relevant today, 25 years later,” he notes.
According to Harrell, there were no security standards for federal buildings and no authoritative body to establish those standards. “Each agency was establishing its own security posture based on what they individually though was best to coordinate between the agencies,” he adds.
“The Oklahoma City Bombing was a catalyst for the creation of the Interagency Security Committee (ISC), consisting of chief security officers and other senior executives from 64 federal agencies and departments,” says Harrell. “The ISC immediately enhanced the quality and effectiveness of physical security in and the protection of buildings and nonmilitary federal facilities. Prior to 1995, there were minimal physical security standards that did not really exist for those nonmilitary federally owned or leased facilities.”
“The collaborative effort of the ISC, with a chief security lead, provide risk and vulnerability assessments aboard facilities, provide recommendations and mitigate risks,” notes Harrell. The Oklahoma City bombing, says Harrell, revealed a lack of preparedness in understanding what the threat is and how do we mitigate the threat through protective measures, technology, process and policies in place to ultimately protect the people.
“Today, as a result, we have a number of standards that are focused on risk assessment, active shooter, threat and vulnerability assessments, perimeter security, access control, cameras. These kind of very basic physical security protective measures were not a focus prior to the Oklahoma City Bombing,” he says.
The Nation’s Risk Advisor
The protection of soft targets and critical infrastructure has come a long way since the Oklahoma City Bombing. And CISA is one of the federal agencies that has continued to improve this protection through its many subcomponents and its resources.
Since its inception CISA has continuously built the U.S.’s capacity to manage risk. It does so through its many subcomponents: the Cybersecurity Division, Infrastructure Security Division, Emergency Communications Division, National Risk Management Center, Integrated Operations Division, Stakeholder Engagement Division.
A key way in which CISA has also provided support to partners in charge of protecting soft targets and crowded places is by gathering, validating and endorsing techniques, tactics and procedures that have proven reliable and effective in improving the security of the assets they protect. These best practices often take the form of guidance or standards that chief security officers and security executives alike can use to inform how they design and implement protective measures and security protocols for their site.
One such guidance is the Security of Soft Targets and Crowded Places – Resource Guide, a key tool in CISA’s efforts to raise awareness of the capabilities that are available to support risk mitigation. The Guide provides information on a wide range of free capabilities that can be incorporated into the security practices of enterprises of all sizes.
The guide provides resource descriptions and various links to:
• Understand the Basics
• Identify Suspicious Behavior
• Protect, Screen and Allow Access to Facilities
• Protect Against Unmanned Aircraft Systems
• Prepare and Respond to Active Assailants
• Prevent and Respond to Bombings
All of CISA, including this guide, is a “one-stop shop,” notes Harrell. “If you’re building a security plan, or a comprehensive response and recovery plan to a physical or cybersecurity attack, where do you start? If you’re going to invest your next dollar into security, what are those basic investments you need to make? CISA is the answer,” says Harrell.
“What we’re really trying to do is reach those chief security officers and those in charge of security to talk about what the threat is, how to mitigate risk and how is it that we are going to implement technology and protective measures to protect our assets and our people,” he says.
The guide is available at www.cisa.gov/publication/securing-soft-targets-and-crowded-places-resources.
Another method in which CISA builds capacity is through training. “Since 2017, CISA has also made virtual training available to 14,000 individuals and conducted in-person training across the US to 2,600 more,” Harrell says.
Some of this training revolves around active shooter, counter-IED measures, threat management programs, including insider threats, and “having those foundational pieces of security technology in place, such as access control, perimeter security, and policies and procedures in place so that when threats materialize, there is a response and recovery plan associated with them. We also train them to exercise those response plans,” he says.
In addition to visiting the site, Harrell says one of the best ways to connect with CISA and to learn more about improving the security of the assets security executives protect is through CISA’s Protective Security Advisor (PSA) Program.
Protective Security Advisors (PSAs) are security subject matter experts who engage with State, local, tribal and territorial (SLTT) government mission partners and members of the private sector stakeholder community to protect U.S. critical infrastructure.
The PSA program also maintains a robust operational field capacity, with Regional Directors (RDs) and PSAs serving in 73 districts in 50 states and Puerto Rico.
RDs oversee and manage the Department’s PSA Program in their respective regions, while PSAs facilitate local field activities in coordination with other DHS offices.
RDs and PSAs not only serve as the link to DHS infrastructure protection resources. They plan, coordinate and conduct vulnerability assessments, training and other DHS products and services; provide a link for information sharing in steady-state and incident response; plan and conduct outreach activities; respond to incidents; coordinate and support improvised explosive device awareness and risk mitigation training; and support national special security events and special event activity rating events.
Harrell hopes that those looking for resources to improve their security posture, “whether you are a mall, a house of worship, school, a stadium, a zoo, we have resources today that are free, and the guidance that we are providing is either low-cost or no-cost - engage your local PSAs to get the conversation started.”
For more information, contact PSDCDOperations@hq.dhs.gov.
Twenty-Five Years Later
“The Oklahoma City Bombing was an impetus for significant infrastructure protection and preparedness, federal building and soft target security,” Harrell says. “Within CISA, we have housed the Office of Bombing Prevention, the ISC and the office of Chemical Security, which administers the Chemical Facility Anti-Terrorism Standards (CFATS) program.”
Chemical terrorism or chemical security still remains a significant issue, Harrell notes. “We want to ensure that high-risk chemicals are staying out of the hands of the potential terrorists. We need to ensure through the ISC that our federal buildings are no longer soft targets. By utilizing compliance with the ISC and utilizing the protective measures that we mandate, it will make you a hard target,” he adds. “Today, we are in a much better position to fight and mitigate potential attacks on soft targets than we have ever been,” concludes Harrell.