INTERNATIONAL FOUNDATION FORCULTURAL PROPERTY PROTECTION
News
Reposted from Dark Reading
Nearly 75% of government employees are concerned about the potential for ransomware attacks against cities across the United States, but only 38% of state and local government workers are trained in ransomware prevention, according to a new report.
The "Public Sector Security Research" study, conducted by IBM and The Harris Poll, surveyed 690 people who work for state and local agencies in the US. One in six said their department was affected in a ransomware attack. Despite this, half didn't notice any change in preparedness among their employers. More than half (52%) of IT and security professionals polled said their budgets for handling cyberattacks have remained stagnant this year.
Some sectors are top of mind for ransomware threats. The study found 63% of respondents are worried a cyberattack could disrupt the 2020 elections. Most government employees place their local Board of Elections among the three most vulnerable systems in their communities.
Public education is another area of concern, ranking as the 7th most targeted industry, according to IBM's X-Force Threat Intelligence Index, up from 9th the year before. Ransomware affected school districts in New York, Massachusetts, New Jersey, Louisiana, and other states in 2019. Forty-four percent of respondents from the public education sector said they didn't have basic cybersecurity training; 70% hadn't received sufficient training on how to respond to an attack.
See Original Post
Reposted from EdTech
Since the early 1990s, IT security professionals from schools in the Big Ten Academic Alliance have been meeting to share ideas. Early discussions around securing mainframes have evolved into quarterly meetings exploring cybersecurity policies, processes, tools and incidents.
“We had those relationships established, but we didn’t have anything operationally focused across the institutions,” says Tom Davis, founding executive director and CISO at OmniSOC, a security operations center housed at Indiana University. “We’re all doing similar things, maybe in slightly different ways using slightly different tools, but we’re facing the same kinds of threats.”
OmniSOC, launched in 2017 by five of the Big Ten members — IU, Rutgers University, Purdue University, Northwestern University and the University of Nebraska–Lincoln — is designed to fill that operational gap. Today, it conducts constant network security monitoring and defense across all five campuses.
As security threats continue to be pervasive, more institutions are taking advantage of SOCs — both SOC as a Service offerings and homegrown partnerships — dedicated to monitoring network traffic for anomalies and mitigating threats.
“That shared model is becoming more common because building, staffing, maintaining, training — all of the things that go into having a functional SOC — are expensive and time-consuming,” says Brian Kelly, director of EDUCAUSE’s cybersecurity program. “But not having a SOC or a SOC-like service on campus is just not a workable strategy anymore.”
On average, attackers are able to spend six to eight months inside a network before anyone discovers the breach. SOCs are likely to spot that malicious activity sooner, says Kelly. “They provide the ability to detect that earlier in the cyber kill chain lifecycle.”
The infrastructure behind a SOC can be costly, but that’s just the beginning, Kelly adds. Institutions need large-conduit network activity to gather the data to be analyzed, storage to house the logs generated by the ever-increasing number of devices on campus networks and skilled analysts who can detect the different types of attacks and know how to respond to them. Plus, they need the compute power to handle all of that.
“We used to talk about looking for a needle in a haystack,” Kelly says. “Now you’re looking for a needle in a stack of needles.”
To power that search, OmniSOC uses Elastic security information and event management, which has some machine learning capabilities, for a back-end security analysis engine.
“As you can imagine, with the quantity of data that we’re receiving, it’s difficult for a team of five security professionals to analyze all of that. So, we’re going to have to look at machine learning and figure out how we can help it at least identify some anomalies that we can use our security engineering talent to dig a little deeper into,” David says.
The University of Texas at Austin operates a successful SOC as a Service, CyberPosse, that serves campuses in the UT system as well as 950 international clients (including other colleges and state and local government agencies).
The State University of New York SOC, open to the 64 campuses in its system, provides software, tools and threat and log monitoring through a third-party vendor, along with services such as anti-phishing campaigns and vulnerability assessments.
Yet the value of shared SOCs extends beyond services, says Bill Lansbury, associate vice president of IT and enterprise infrastructure at Rutgers. OmniSOC members, for instance, have access to partners’ security tools and expertise. The ROI is greater than performing the same tasks in-house, he adds.
“For us to do what we’re getting out of OmniSOC, we would need to have five to seven additional full-time staffers, not to mention the training and professional development,” says Rick Haugerud, assistant vice president for information security and CISO for the University of Nebraska-Lincoln. “We’re just not in an environment where we can get that.”
It didn’t take long for OmniSOC to prove its worth. Within 24 hours of its launch, it identified a compromised host at one of its partner institutions.
“It wasn’t a serious breach, but it could have posed a threat to other hosts on the network,” says Davis. IU became OmniSOC’s home institution because it was already home to the Global Research Network Operations Center, which manages networks around the world. GlobalNOC, which has locations on IU’s Bloomington and Indianapolis campuses, gives OmniSOC redundancy and access to round-the-clock services.
Partner institutions were able to use the security infrastructure they already had in place, including firewalls and intrusion detection systems. They just added appliances (deployed and managed by OmniSOC) to send data securely to OmniSOC, which collects and normalizes that data using the Elastic SIEM system. The use of existing infrastructure can make SOCs feasible for institutions that aren’t interested in building out an entire new system.
In addition to Davis, OmniSOC’s 16 employees are divided among three teams: security engineers who handle threat-hunting analysis, a dedicated security platform engineering team that gathers and normalizes data from partner institutions, and a six-person 24/7 service desk. The two latter teams are organizationally part of the GlobalNOC, but functionally they report to Davis.
“There’s no way you could run a 24/7 operation just on six full-time employees,” says Davis. “We’ve been able to leverage the existing GlobalNOC service desk team to augment those needs after hours and on weekends.”
While all of the partner institutions had their own SOCs in place before forming OmniSOC, their staffs had competing demands.
“It’s very common in higher ed for security teams to be overtasked,” says Davis. So, even if an institution has the best intrusion detection system, security personnel can’t spend all their time looking at the resulting data.
That’s where Security as a Service can be useful. OmniSOC, for example, receives data from each partner institution to provide continuous monitoring. If an engineer spots an anomaly in traffic at one of the institutions, he or she flags it and escalates a ticket to that university.
In one case, OmniSOC detected unusual activity on Rutgers’ network: an IP camera receiving exploit instructions from another country. Rutgers’ incident-response team contacted the camera’s owner, and a simple firmware update resolved the problem, says Scott Borbely, security operations manager at Rutgers. Those extra eyes can be most beneficial after hours, says Haugerud.
“Alerts get that first level of ‘this is not normal’ from OmniSOC,” whereas before, alerts might have sat idle from 10 p.m. until 9 or 10 the next morning, he says. “It all ties back into that concept of improved detection: How do we identify and start to respond in hours versus days or weeks?”
OmniSOC also has an advantage because it draws data from five institutions using different security tools. So, for instance, if one intrusion detection system finds suspicious behavior that the other four universities missed, the OmniSOC team notifies everyone of the potential threat.
“It’s really an extension of our existing resources,” says Lansbury. “It’s one team working for all the members of OmniSOC. If something happens at Purdue, we immediately get made aware of it so we can protect against it. We don’t have to wait for it to get to us.”
It is with great sorrow that the IFCPP family shares the news of our friend Steve Ramsay’s recent passing. Steve was a longtime IFCPP contributor and supporter, and cultural property protection community figure. Steve participated in numerous cultural property protection conferences, and co-hosted IFCPP’s Southeastern U.S. Regional Symposium in 2015. We’ll very much miss Steve’s comforting demeanor and quick wit. Our deepest condolences to Steve’s family and friends in Tulsa and beyond. Thank you, Steve, for honoring us with your friendship, professionalism, and kindness.
Following is an excerpt from Steve’s obituary.
Stephen Boyd RamsaySeptember 18, 1954 - February 23, 2020
Stephen Boyd Ramsay was born September 18, 1954 and passed away on Sunday February 23, 2020 after a catastrophic stroke. He was born in Tulsa and graduated from Webster High School in 1972. He then received an Associate’s Degree in Criminal Justice. He traveled extensively in his younger days; always roughing it, mainly up in the Yukon. The outdoors meant everything to him; climbing, hiking, and mountain biking. Steve spent several summers guiding fishing trips in Alaska, occasionally falling out of the raft which earned him the nickname “Otter”.
Steve retired from the Philbrook Museum of Art in January 2019 after 26 years where he was the Director of Safety and Security. He was insanely good at his job, working many long hours and all special events. Steve’s coworkers loved and admired him for his kindness, his humor, and his willingness to go above and beyond. Everyone who knew him has expressed their appreciation for his ability to help those in need and his contagious laugh.
Steve loved his family with his heart and soul. He was a loving Husband, Father, and Grandfather. His sense of humor kept us going through good times and difficult times. His family thanks everyone for their outpouring of love during this very difficult time.
A Celebration of Life will be held on April 4th at Baxter’s Interurban, 717 South Houston, from 4-9 pm. Donations can be made to the charity of your choice, preferably to outdoor organizations or the American Stroke Association.
Reposted from Frieze
Michelle Millar Fisher and Andrea Fraser discuss how to radically reshape the power structures of museums today.
Michelle Millar Fisher – a curator at the Museum of Fine Arts, Boston, and co-founder of the Art + Museum Transparency collective (which, in 2019, released a crowdsourced document detailing more than 3,000 art workers’ salaries across the world) – speaks to the artist Andrea Fraser, one of the leading figures of institutional critique, whose landmark study 2016 in Museums, Money and Politics (MIT Press, 2018) traced the political donations of board members at US institutions.
Michelle Millar Fisher What does the notion of public and private mean, on both sides of the Atlantic, when we think about museums? I grew up in the UK, so I have a very specific understanding of museums from that background. The broadest contrast is that, where I come from, there’s a lot more state funding for the arts and a stronger sense of museums being part of the fabric of a city or community – or even a country. There’s an understanding that that’s just where some taxpayers’ money goes. Whereas here, in the US, I think of Charles Willson Peale’s quote: ‘All the national museums in the world […] were from beginnings of individuals.’ The focus is on the individual donor or on corporate philanthropy. I think the UK model is collapsing and becoming more aligned with the US approach but, growing up, that’s how I understood museums: as places that were completely free to go into, public in the truest sense.
Andrea Fraser My view of European museums has been shaped primarily in Germany, where there are many public institutions and very few private ones. But there are also many kunstvereins, or ‘art associations’, which correspond in some ways to nonprofit art organizations in the US. However, an essential difference is that the boards of kunstvereins are elected by the membership, while most US nonprofit boards are self-selecting. What is increasingly important to me is to consider not only an institution’s sources of funding but also its governance structures. Museums with self-selecting, self-perpetuating boards can be just as plutocratic with public funding as they are with private funding – if not, in some ways, more so.
In the US, historically, institutions often received substantial amounts of public funding. Starting in the late 19th century, many US museums were built on public land in cities contractually obligated to support them with public funds. Nevertheless, in most cases they were governed by wealthy individuals sitting on self-perpetuating boards in a structure that was modelled on private, for-profit corporations. That represented what the historian Peter Dobkin Hall called ‘civil privatism’ in his book Inventing the Nonprofit Sector (1992). It resulted in urban public spheres in which the most prominent ‘public’ institutions were fundamentally private and plutocratic in their governance structures. That, to me, is what is very specific about the US model: not so much that many museums were founded by individuals or that they depend on private funding, but that the system supports the non-democratic and often plutocratic governance of putatively ‘public’ institutions.
MMF I moved to the US when I was 22 to work in museums because I thought there was so much more opportunity here if you didn’t come from a wealthy background. I was yet to fully understand how histories of race, and to an extent gender, foreclose opportunity in the US – something that 15 years of living here has subsequently taught me. In the UK, museums felt accessible in a way that they do not here, but, working in an institution in the UK seemed much less feasible. Actually, however, I see a similarity in that regard to the US – in that the governance structures of museums are held in the hands of very few. Museum careers are predominantly for a certain social class.
AF I do think that it’s different in some of the older civic museums in the US, especially compared to more specialized and often more private modern and contemporary art museums. Some of them are free or you pay what you wish. But they also function through the publicization of privacy and the privatization of public resources, with the prominent recognition of patron support and often no recognition of public support, and with the administration of public funds and resources by private boards with no democratic input or oversight. Regardless of how much they receive directly from public sources, up to 30 percent of US museum revenues, or a percentage equal to the top tax rate, consists of indirect public subsidy in the form of lost tax revenues. That indirect public subsidy is never recognized.
MMF The journalist Michael Massing mentioned that indirect public subsidy in a New York Times op-ed on 14 December 2019. It was one of the first times I’d seen any kind of mainstream news source refer to it. He wrote that MoMA (and, indeed, most other US museums) ‘gets substantial public support through the tax write-offs its wealthy donors receive as well as its own non-profit status. The public is, in effect, subsidising the museum without getting any corresponding say in its governance.’ His suggestion is that, in return for non-profit status, the government could require MoMA and other museums to allocate a certain portion of board positions to people whose lives are not devoted to making money.
AF Virtually every single room in most US museums is now named after a private donor. To the extent that these museums are public, what is being publicized is private wealth: wealthy individuals and their culture. I was invited to present my 2016 in Museums, Money and Politics book at the National Gallery in Washington, D.C., last year. It was among the first museums in which I spent a lot of time as a child, because my father lived near D.C., but I hadn’t been there for a long time. It was really striking to me that in the National Gallery there are no named spaces. As you enter, there are a few big plaques with lists of patrons. But alongside the familiar names of the super wealthy, going back to Andrew W. Mellon, there are also many artists who gave their work to the museum. They’re listed as donors and their names are recorded there in stone. It was very moving to see that.
MMF Do you think that 2019 has marked a specific tipping point in terms of the ways in which not just museums themselves, but also the public, have a greater awareness of some of the difficulties, tensions and challenges that are being raised by art workers and artists? Or do you see it as just another form of the same conversation that has peaked and troughed over the last 30 or 40 years?
AF I think it is different because of the new focus on governance. In the 1980s, the focus was on corporate sponsorship. In the 1990s, it was on the corporatization of public and non-profit organizations in terms of privatization, professionalization, the shift towards corporate populism and the embrace of spectacle culture: blockbusters, starchitects, merchandizing, et cetera. But I can’t recall anyone – except, of course, Hans Haacke – really looking into governance structures.
However, I don’t think we will get very far just focusing on the power, influence and wealth of the donor class. They function within a system from which artists and museum staff benefit. We also have to look at our own interests and participation in this system as what I call the donee class. Donors give and trustees serve because artists and museum staff beg them to do so. This has become the primary job of directors of institutions in the US. The rising costs of museums, which necessitate huge gifts from wealthy donors, are not primarily driven by board members. They are driven by the ambitious expansion plans of directors, the grand visions of starchitects and the skyrocketing prices of artists’ work. This growth is driven by competition and ambition, not by need. It creates an extremely steep pyramid of resource distribution, in which a few individuals and institutions at the top absorb the vast majority of the total resources in the field. The corporate populist museum needs spectacle and the whole system flatters donors into funding it.
MMF I find there’s a tension between that area of the art-world economy and the rest of it – which is where I work as a design curator. I started off as a security officer; I’ve been an educator, and I’ve done a lot of other jobs in the museum that have not, in any way, connected me to donors. The work I commission or collect does not cost anything close to six figures, let alone seven. I see members of that donee class out begging, but most of my museum colleagues are either working front of house or in coat check; they’re working in every corner of the museum, in places that don’t closely connect them to those structures. They still, in many cases, have what might be called a naive, or really altruistic, understanding of the museum as a space of knowledge, of joy, of fundamental humanity. I had that. A part of me still does. But a part of me lost that after working at a really badly managed museum that simply didn’t value its human resources.
In the last year especially, but certainly since the 2008 collapse of Lehman Brothers financial services, a lot of so-termed donees have pursued professional museum careers that have saddled them with huge amounts of debt and very few career possibilities. I think they feel those tensions in an embodied way because they want these spaces to be what they’d hoped they would be – but then they either haven’t found jobs there or the jobs have been horrifically paid, often without benefits.
So, there is a donee class that absolutely engages with donors and participates in the upper echelons of the art market: art as an asset class, or as something that requires millions of dollars in fundraising. But most of the people I know in museums are not like that. They are the people who are trying to figure out what it means at a grassroots level to change that conversation entirely. I am interested in figuring out how we foreground, amplify and listen closely to art workers who are not curators, directors or well-known artists. They’re the majority of art workers, and they’re the thousands of people who have, in the last year, shared their salaries anonymously on the Art + Museum Salary Transparency spreadsheet, or attended weekly meetings to coax into life a union to implement better working conditions. But I think the dawning realization that I’ve had over the past 15 years of working in different museums is that I’m not sure they’re spaces that can fundamentally be changed. And I don’t know if they can be the spaces for the betterment of humanity I dreamed of at the start. But maybe I’m especially jaded right now!
My colleagues are more diverse than they were when I first started working at the Guggenheim in 2004; then, almost everybody working alongside me was an intern whose parents were paying their way for the summer. But now, as I hear voices from my colleagues who come from a greater diversity of places and experiences, I don’t hear the questions they’re asking the museum being satisfied in any comprehensive or long-term sense – whether they’re questions about diversity of representation within collections, about pay transparency, about different types of governance structures for boards. Do you feel that there are different modes of governance which would offer paths forward for museum boards today?
AF First, I advocate for the elimination of personal financial contribution requirements for board members. Those requirements render museum boards de facto plutocratic. It’s a ‘pay to play’ system in which positions of governance are basically bought. It would be considered corrupt in any other context. There’s an argument that, especially in small organizations, the board members should make some kind of contribution. In that case, it should be a percentage of income. When you look at just how wealthy some board members are, even when contribution requirements are well into seven figures, it’s a tiny fraction of their fortunes.
I also advocate that museums should have staff councils whose members are elected from and by the entire staff. Institutions dealing with the work of living artists should have artist councils, and museums should have community councils for other stakeholders. These councils should all have board representation. Together with eliminating personal financial contribution requirements, such councils would be a path to democratizing museum governance structures and diversifying their boards. And I think that all museum boards should have elected officials as ex officio members.
Ultimately, I believe boards should be elected by museum members. That was never the dominant model in US museums, but it was in many other non-profit organizations until fairly recently. With the public funding cuts of the 1980s, big private foundations pushed non-profits to professionalize and to replace the participatory model of many democratically structured organizations with a model that turned constituents into clients or customers. It destroyed what had been a training ground for active citizenship and participation in political processes. The challenge today is not to open boards to the non-rich, but to get people who are used to being clients, customers and contractors of organizations to step into governance roles. It’s a lot of work. I don’t think many artists see it as valuable, or see themselves as candidates for such roles.
I believe the protests over the Whitney Museum of American Art’s vice chairman, Warren B. Kanders, would have unfolded very differently if the Whitney had staff and artists’ councils with board seats. [Kanders owns a company that produces tear gas used on protestors internationally.] He finally resigned in July 2019 following months of protests. The Whitney had been trying – certainly more than the Guggenheim and the MoMA – to present itself as representing and responsive to a broad range of communities and constituencies. But, in that conflict, the museum’s director revealed himself to be answerable only to one constituency: the board. But, of course he is! In the US, museum directors are hired by the board, they serve at the pleasure of the board, and they can be fired by the board at any time. As long as museum directors and senior staff have no job security, they have no real autonomy. Changing that would require something like tenure, which some university museums and galleries do have.
MMF Are there any other existing models that you know of: specifically with staff on the board, or staff able to make decisions or staff connected in some way to the governance of museums? How realistic is it? I can’t see, for example, MoMA embracing this, because they simply don’t need to in order to continue business as usual. But I can actually see smaller and mid-sized museums putting their money where their mouths are in terms of their mission statements around change, progression, inclusivity – whatever the buzzword might be.
AF The Institute of Contemporary Art, Los Angeles is one US museum that is developing new models. It has an Artists Council with two members who also sit on the board – me and Charles Gaines. The Artists Council was instrumental in rewriting the museum’s mission statement a few years ago. I was adamant that it wasn’t going to be vague and basically useless, as most museum mission statements are. We helped draft what I think is one of the most radical in the US. It includes a commitment to ‘upending hierarchies of race, class, gender and culture’. That statement really does orient the board. All non-profit organizations in the US are defined as mission-driven, as opposed to profit-driven, but most have vague mission statements that provide zero guidance.
The biggest challenge for museums in adopting the kinds of changes I’m proposing is that board dues are basically the only reliable source of revenue that they have. To eliminate board dues requires a shift in the economic structure of museums, which would have to include not only finding alternative sources of revenue, but also dramatically reducing costs.
MMF I think the distinction between looking solely at funding and also looking at governance more broadly is now mirrored in what artists are doing – if you look at the activists involved in Decolonize This Place, the art workers engaged in unionization drives, the artists involved in W.A.G.E. who organize fair payment for artists and so on.
AF The big shift is that the non-profit art sector in the US has become industrialized and this has changed labour relations in the field. Artists are now more likely to see themselves as underpaid gig-economy contractors than heroically deprived autonomous producers; museum staff are more likely to see themselves as underpaid workers than contributors to a philanthropic cause. That also implies an acceptance of a non-democratic, hierarchical corporate structure. The idea of organizing to participate in governance is almost harder to imagine in that context. It’s a labour relation and we’re just organizing to get paid, right? But a lot of corporations in Germany, for example, have both very strong unions and staff councils and often these have significant representation on the boards. They’re not mutually exclusive.
MMF I can understand the feeling that we need unions before we can have staff councils. I think the reason artists, or indeed art workers of any kind, find it incomprehensible that they might be able to have a role on the board is that there’s such a huge wealth disparity between them and the people on US museum boards today. And, indeed, between them as art workers and the senior curators and directors at museums. It seems like too radical a departure for them to imagine they’d ever have true agency in those spaces.
I want to close by asking about the viability of alternative approaches to structuring the contemporary art world. Nan Goldin’s work with P.A.I.N. to campaign against arts institutions accepting money from the Sacklers – whose wealth has been linked to the production of the opioid OxyContin – was considered fringe a year ago. Now, it has very mainstream support and demonstrable outcomes from the group’s actions. It struck me that your pretty radical and inspiring idea for rethinking museum boards seemed similarly impossible, but that this is a moment where the impossible can happen. What might the tipping point be?
AF I think we are already at a tipping point. The question is which way we’ll tip. Democratic institutions of all kinds are being destroyed by corruption and plutocratic interests. Supposedly progressive cultural institutions have an opportunity to rebuild democracy, starting with their own organizational structures. Protest is an indispensible element of this, but transforming organizational governance can’t just be about getting a few toxic trustees off boards, which implies that the system is okay without them. It has to be about demanding a seat at the table.
Reposted from BBC
Staff at the Louvre - the most visited museum in world - voted "almost unanimously" not to open on Sunday, a union representative said.
On Saturday the French government banned all indoor gatherings of more than 5,000 people, in an effort to curb the spread of the new coronavirus.
France has reported 100 cases of the Covid-19 disease. Two people have died.
Queues formed outside the museum's iconic pyramid in the rain, but the doors remained shut.
A statement on the museum's website said a meeting was reviewing the "public health situation linked to Covid-19 prevention measures" announced by the government.
The previous day, an emergency cabinet meeting banned large gatherings "in confined spaces", as well as open-air events such as Sunday's Paris half-marathon.
Union official Christian Galani told AFP news agency: "The meeting was arranged to discuss the concerns of staff", adding management representatives were unable to convince workers to go to work.
"The Louvre is a confined space which welcomes more than 5,000 people a day," Mr Galani said. "There is real concern on the part of staff."
In France all public gatherings have been banned in parts of Oise, the area north of Paris at the centre France's coronavirus outbreak.
But the mayor of Montanaire, one of the towns affected by the ban, defied the move and allowed a market to go ahead on Sunday.
Cancelled events across France also include the final day of the Paris Agricultural Fair and a fireworks display in the southern city of Nice - both were due to be held on Sunday.
Switzerland has also banned large gatherings. The General Motor Show and the Basel Carnival are among the events affected.
In Italy, Europe's worst-affected country, five Serie A football matches are not being held this weekend.
In rugby, Ireland postponed men's and women's Six Nations games against Italy in Dublin next weekend.
And Qatar has cancelled the opening MotoGP race of the season, which was due to be held on 8 March, because of travel restrictions on visitors from Italy, a centre of the outbreak.
Reposted from Security Management
As security professionals, we see vulnerabilities every day: homeowners who don’t arm their security systems; businesses with inoperable cameras and propped open back doors; unaccounted–for keys, missing badges, broken locks, and no visitor control; work computer passwords that are weak, reused, shared, or written on a sticky note; no emergency plan, practice, or provisions. Despite regular reminders about the risks in the world, why do these lapses keep happening? Perhaps the increasing number of security breaches and violent attacks leave us numbed to their significance. Or the topic is purposely avoided, when confronting the rising threat feels overwhelming or uncomfortable.
Many industry insiders see security from a data-driven perspective—there is risk probability, which is lowered by the effectiveness of an array of countermeasures. However, most risk models are not holistic, because they don’t address the important psychological and sociological factors at play. The human element is perhaps the most difficult to address in the security realm, yet the one that can make or break our efforts.
Consider the vulnerability mitigators—the site managers and security teams who have assumptions, biases, and blind spots, unconsciously impacting their decisions and compounding risk. There are five emotional traps in soft target security: hopelessness (“There is not much we can do to prevent or mitigate the threat.”), infallibility (“It will never happen here.”), inescapability (“It is unavoidable, so why even try?”), invulnerability (“It cannot happen to me.”), and the most dangerous, inevitability (“If it is going to happen, there is nothing I can do about it anyway.”). These beliefs, even if subconscious, can sabotage security efforts. Vulnerability mitigators are just as susceptible to these traps as average people.
Wait, there’s more! Adding to this complex brew is security fatigue, a phenomenon first observed in the cyber realm. A security study conducted by the U.S. National Institute of Standards and Technology (NIST) in 2016 sought to measure respondents’ online activities, computer security perceptions, and the knowledge and use of security icons, tools, and terminology. Unexpectedly, many participants mentioned “security fatigue,” along with a sense of resignation, loss of control, fatalism, risk minimization, and decision avoidance when it came to cyber hygiene.
This very same security fatigue is now reflected in the general populace, weary of inconvenient physical security measures and now facing a loss of personal communication and online privacy in the name of an often abstract concept: the greater good.
Now factor into the equation a palpable sense of denial about the threat, manifested by a lack of urgency to mandate changes in the wake of a massacre. There is a persistent belief an attack was a “one-off” event which won’t occur again, with a unique and lone attacker. Mass shooting events are often hastily put behind us, and society moves on quickly to resume normalcy. Consider that London, with one of the best counterterrorism programs in the world, fell victim to two ISIS terror attacks by vehicle on adjacent bridges within a 10-week period. Lessons learned from the first attack on the bridge near Westminster on 22 March 2017 did not translate to robust security measures on other bridges.
The location of the second attack on 3 June 2017, the London Bridge, was a stated target of both al Qaeda and ISIS for more than a decade. Typical of copycat attacks, terrorists learned from the first attack and improved their methods, using a larger vehicle to mount the London Bridge curb and mow down pedestrians on the sidewalk. They also left the vehicle in a popular restaurant district and went on a stabbing rampage, while wearing fake suicide vests to amplify the terror effect.
Although contradictory to denial, there seems to be a new level of acceptance regarding mass attacks, seeing their near daily occurrence as a “new normal.” During the mass shooting at a STEM school in Colorado in May 2019, none of the major national news networks broke away from political coverage to report on the unfolding crisis. On the first anniversary of the Santa Fe High School shooting in Texas (10 killed, 14 wounded), many social media comments indicated people did not recall the event. Perhaps society has numbed to the point where extremely violent events are no longer shocking. This complacency is dangerous; it means we’ll settle for security that is “good enough” and take the more comfortable path of least resistance. Organizations may choose to roll the dice, and just deal with an event if it arises.
The bottom line is that this cauldron of emotions and behaviors is not only a dangerous and exploitable phenomenon, but also extremely detrimental to our efforts to secure venues and protect people. Acknowledging the existence of these behaviors and mindsets is part of the solution, but there are tangible steps we can take in our work to meet them head on and mitigate.
Not everyone shares our sense of urgency, scope, or motivations about security. Several years ago, I consulted on a federally funded project in a U.S. city to secure several high-density commercial public buildings from terrorist attack.
One of the site managers resisted our efforts and did not embrace recommendations coming from a thorough vulnerability assessment. Frustrated, I asked: “What will you say to family members if an employee or customer dies during an attack on your property, one you could have prevented with enhanced security measures?” He looked me in the eye and said: “Why would I talk to the family members?”
As a military officer, I prepared for and performed casualty notifications, and the welfare of my troops and their families was my responsibility. I found the manager’s statement shocking, but instructive. My paradigm and principles about security might not be shared by others, and that’s alright.
Prior to presenting ideas or solutions, we can ask questions to clarify cultural nuances at the worksite that may impact our work. Perhaps the most important yet underrated communication skill is listening. Engaging in a true dialogue will help clarify and build trust before introducing ideas and solutions.
I teach a graduate level communications course for security professionals, and the curriculum includes aptly packaging and marketing the message. Why? Because of the aforementioned psychological factors like security fatigue, combined with the standard resistance to change. The way you communicate your security recommendations will change how those recommendations are received.
In the last year, I have worked with religious leaders, luxury hotel managers, hospital administrators, high school principals, and security leads for professional sports teams. Security is not a one-size-fits-all proposition, yet the same methodologies apply. For instance, we encourage churches, which are soft targets, to simply lock their doors during services, when the majority of fatal attacks occur. Businesses, on the other hand, have different vulnerabilities; they might install a 24/7 access control system to prevent unauthorized entry and protect proprietary information.
To determine what communication strategies to deploy, assess the client’s biases, assumptions, and concerns. Do they demonstrate any of the five emotional traps when talking about the security environment? Understanding these complex behavioral and emotional responses is important when tailoring the security message. Message delivery is also critical—how can the client best process our information? I have my security students take a learning preference instrument called VARK (Visual, Aural, Read/Write, and Kinesthetic). Understanding learning styles helps us access information in a way where we will not only gain knowledge, but internalize and retain it for a longer period of time. As a professor, I deliver course material based on the student’s VARK preferences for improved learning and retention of information.
Once the students realize that even our small classroom of security professionals consists of a variety of learning styles, they understand the importance of tailoring the security message and delivering it to their supervisors, coworkers, or clients in a way that will be understood and acted upon.
For example, a few years back, I visited a “megachurch” just for a quick walk around with the head of security. They had a good security plan, including gated entry and license plate scanners. However, the two-story glass atrium of the main church building was unprotected on both sides, and vehicles had an unobstructed approach from the main road. The security team approached the pastor with a proposal to harden the area, but the pastor didn’t read past the first sentence, stating he was opposed to “ugly barricades.” Based on his love of photography, we decided the visual approach might work best to tell the story; the pastor agreed to fund the project after seeing photographs of attractive bollards such as fountains, benches, planters, and lighting. By tailoring our communication approach to connect with this particular person’s interests, we could overcome misconceptions about security and produce a safer environment.
We can help clients and stakeholders out of their emotional traps and still accomplish our security goals. One approach is to identify the reason for pushback, and then adjust language to better connect with the audience. For example, I was contacted by a local emergency preparedness agency regarding a “Stop the Bleed” (STB) initiative, generously funded by the state government. Although the group was offering training for free, they were unable to find any school, church, or business willing to host the program. Upon further questioning, we learned the venues associated STB with active shooter training, which they were also resisting out of fatigue and fear.
I provided talking points to the agency with compelling reasons for STB training, avoiding the active shooter perspective. I used plain language and included data regarding the increase of stabbing attacks in our country and how taking immediate action could have saved lives. The paper also covered travel safety and how stabbings are on the rise worldwide, appealing to those who travel internationally for business or leisure. I relayed a story regarding an American man who was trapped in the rubble after the devastating earthquake in Haiti; by properly dressing a heavily bleeding wound on his leg, he was able to stay conscious and facilitate his rescue, as well as save the limb. I actively sought to remove “active shooter” and related trigger words from the STB equation without watering down the need for the STB program. It worked.
Substituting the word “safety” for “security” is another tactic. For instance, a local church is located on a blind curve, next to a very busy, dangerous road. From a counterterrorism perspective, I was concerned about a vehicle purposely driving into the crowded parking lot or the building. Instead of talking about terrorist tactics with the pastor, I presented data regarding the rise of distracted drivers in our area and the number of fatalities in the vicinity of the church. He decided to install an attractive bollard system to protect churchgoers and the structure from an out-of-control vehicle. This is another example of tailoring the message to the audience to bypass an emotional trap, without downplaying the need for preparedness.
Communication lapses are not limited to small-scale campaigns or proposals, either. The U.S. government, with its massive public relations machine, has failed at times to convey security messages in the appropriate manner for the topic at hand. After the attacks on 9/11, the Department of Homeland Security (DHS) tried to educate the public on how to protect themselves. On 10 February 2003, in response to intelligence indicating terrorists were planning a weapons of mass destruction attack against the United States, DHS issued an advisory directing Americans to prepare for a biological, chemical, or radiological terrorist attack by assembling a disaster supply kit. Panicked citizens cleared store shelves of duct tape and plastic to seal homes and offices against nuclear, chemical, and biological contaminants. The DHS eventually faced ridicule over what was seen as an over-reaching response to a veiled threat, and the advisory was jokingly referred to by comedians as “duct and cover.”
A DHS Ready.gov campaign in 2004 with amateurishly drawn cartoon characters was also mocked and rendered ineffective. It was the wrong tone and method to communicate about this topic, and therefore the campaign fell flat.
The language we use is as important as our actions; it can either motivate or repel.
Since these DHS communication challenges, the threat has not been adequately portrayed to the public, perhaps to not cause alarm. Despite terrorist attacks and hundreds of foiled plots in the United States from 2005 to 2011, the color-coded alerts of the Homeland Security Advisory System (HSAS) never budged from yellow (elevated threat). In 2011, DHS replaced HSAS with the National Terrorism Advisory System (NTAS), which was meant to address criticisms of HSAS, providing alerts specific to the threat with a specified end date. However, the NTAS is also rarely used to communicate with the public. Social media platforms are dormant, and NTAS advisories average one every six months.
My work is predicated on the idea that if citizens are aware of the threat and educated to respond, they are less afraid. They become force multipliers for law enforcement and first responders.
Using internal security language heavy on acronyms or lingo is not always helpful with stakeholders and clients, nor is fear-mongering. The saying “It’s not a matter of if, but when” is often heard among security professionals when discussing the likelihood of another cyberattack, active assailant incident, or terrorist attack. However, depending on the audience, we should avoid these euphemisms in the consultative environment. Illustrating this point, an elementary school teacher recently tweeted her dismay that a security contractor made this statement during active shooter training. She didn’t find it motivational in the least, but overblown and hysterical.
Remember that the fear of a violent incident or attack is not always top-of-mind for people. The Chapman University Survey of American Fears provides an annual look into the fears of average Americans, using a random sample of 1,190 adults from across the United States. In 2017 and 2018, terrorism and crime fears dropped out of the top 10, now replaced by government corruption, environmental, medical, and personal financial concerns. Whether fatigue, denial, acceptance, or feelings of invulnerability have played a role, or Americans would merely rather focus elsewhere, data indicates terrorism and crime are not at the forefront of concerns for the average American.
Certainly, the odds of being part of a terrorist attack or mass shooting are extremely slim. The CATO Institute studied terrorist attacks perpetrated in the U.S. by foreign-born actors, including the 9/11 attack, and found that from 2001 through 2017, the chance of an American being murdered by a foreign-born terrorist was one in 1,602,021. On the other hand, the odds of dying from a car accident is one in 102; assault by firearm, one in 285; lightning, one in 114,195; and aircraft accident, one in 205,552, according to the National Safety Council. However, that does not mean that we should neglect to prepare for violent incidents.
It’s essential to understand people’s practical fears and concerns so we can properly tailor and package the security message. Residents who ignore risks of terrorism, active assailant incidents, and crime are not security’s eyes and ears. They won’t see threats or connect dots; they are the not the force multipliers we hoped for. Since fear can paralyze people instead of motivating them to action, language is again the game changer. For instance, the “lone wolf” moniker is sensationalistic and causes fear. The word “wolf” conjures a stalking, stealthy, hungry predator roving about, acting at will. In the security research realm, we are now addressing the lone wolf as a lone actor.
In my work, I use an effects-based system with my clients so they can visualize violent scenarios in an unemotional, data-driven way. Think of ways to lessen fear in your security work to enhance your message and motivate people to take action.
The underlying message to soft target organizations is that security professionals acknowledge their fatigue, fear, and hope that the storm clouds will pass them by. However, doing nothing because it’s easier than confronting the rising threat is not only naïve, it is irresponsible. A permissible environment is exactly what bad actors want, will wait for, and exploit. It is our job to continue fighting societal trends and underlying psychological impulses driving people away from security and into danger. Understanding our role and how to best engage is crucial.
Reposted from WCVB
The iconic Plymouth Rock, the landmark that marks where the Pilgrims landed the Mayflower 400 years ago, has been vandalized with graffiti, photos from the scene show.
It was among several historic landmarks that appeared to have been tagged by vandals.
Photos from the scene also show red paint on a statue and red paint sprayed on a stone bench.
The photos also show a large clam shell painted with a photo of the harbor and Mayflower tagged with red graffiti.
Plymouth is commemorating the 400th anniversary of the landing of the Pilgrims at Plymouth Rock this year. It was not immediately clear if this graffiti incident had any connection to the celebration.
Plymouth Rock is managed by the Department of Conservation and Recreation for the Commonwealth of Massachusetts as part of Pilgrim Memorial State Park.
The Plymouth Area Chamber of Commerce said four graffitied shells have been cleaned by the department of public works. The chamber said there were still some specks of paint that will be removed on Tuesday. "Please do not attempt to help us remove any of the remaining specks as many chemicals can harm or even destroy the shells as well as any type of pressure washer," the chamber said.
Officials ask anyone with any information about who may be involved with the vandalism to contact the Plymouth Police Department.
The chamber said they plan to press charges against the individuals involved.
Wildfires erupted in California in October 2019, endangering thousands of homes and businesses and leading to the evacuation of more than 200,000 people. Extreme winds—with gusts up to 80 miles per hour—spread and fed the flames. Californians faced sudden blackouts as utility companies sought to mitigate the risk that live power lines would blow over and start new fires. According to CalFire, more than 189 buildings were destroyed.
While the California 2019 fire season was less disastrous than 2018’s, some experts say it marks a shift in wildfire patterns.
Recent research by climate scientist Janin Guzman-Morales at the Scripps Institution of Oceanography at the University of California, San Diego, suggests that as the climate warms, Santa Ana winds may become less frequent. However, warming patterns are also likely to change precipitation patterns, shifting California’s wildfire season from dry fall to even drier winter, with longer, more intense fires later in the year, The New York Times reports.
Meanwhile, in southern Australia, unpredictable winds and severe drought conditions brought wildfire season early. As of mid-November 2019, fires had burned 1.65 million hectares (about 4 million acres) in New South Wales—more than the state’s burned area in the previous three years combined, and months before the year’s “bushfire” season typically peaks in January or February. A large swath of the Australian population along the east coast, including the city of Sydney, has been exposed to smoke from the bushfires, which can affect respiratory and cardiovascular health.
Changing weather patterns in Australia are exacerbating fire risks. The Australian Bureau of Meteorology (BOM) warned communities to prepare for more severe fire danger throughout the 2019–20 summer, which shows a higher than normal chance of above-average day and night temperatures for most of the country, and a higher chance of drier than average conditions for eastern Australia.
More volatile, unpredictable wildfires are forcing security and business continuity managers in fire-prone regions to reconsider their continuity plans. In California, grocery store owners scrambled to find backup generators and refrigerated trucks on little notice during blackouts. Supply chains were disrupted as highways were shut down. Organizations had to cope with mass workforce unavailability due to evacuations.
Overall, continuity challenges from wildfires fall into two camps: business challenges and personnel challenges, says Rinske Geerlings, principal consultant at Business As Usual, a business continuity planning and consulting firm based in Sydney, Australia.
Personnel challenges can involve health issues related to fires—such as worsening asthma from smoke inhalation. In Sydney, some businesses had to turn off their air conditioning systems to prevent bushfire smoke from entering workplaces, but summer heat was already climbing—upward of 34 degrees Celsius (93 degrees Fahrenheit)—forcing businesses to choose between smoke and heat, neither of which are good for staff, Geerlings says.
In addition, wildfires affect employees’ physical safety and ability to access the workplace, and their emotional availability for work, Geerlings says. “Staff may not have the mind-set to think about work due to the emotional impact of a fire, even if the business has prepared for disaster with a remote work plan,” she adds.
According to Sam Stahl, CBCP (Certified Business Continuity Professional), a business continuity management consultant based in Colorado, employees’ availability during wildfire events depends on preparedness. Insurers are more stringently inspecting conditions around homes and businesses for fire hazards, he says, and organizations can double down on this messaging by encouraging employees to plot out backup evacuation routes, clean up brush around their homes, and develop plans for remote work.
Regarding business challenges, the three essential aspects to business continuity are access to assets, people, and a place to work, Stahl says, and wildfires often disrupt at least one of those three. He recommends organizations that can facilitate remote work begin planning and practicing how to keep business on track without employees in the office.
“Do you know if you have the network power in place to support a full work from home day?” Stahl asks. It’s a good practice to have each employee work from home one day a month, just to practice and find any gaps in capabilities or resources, he says. That way, in a crisis where 40 people are working remotely, employees know what to do and the infrastructure already exists to support them.
However, some organizations are not built to accommodate remote work. For example, manufacturing organizations cannot continue production if employees cannot make it to the facility—or if the facility itself is damaged by fire.
“At the moment, the fires are so widespread and long-lasting that it’s harder to search for continuity options,” says Geerlings. “Options for suppliers are getting smaller and smaller. That’s a growing business continuity challenge—there are hardly any continuity options, like alternative locations or alternative suppliers, that are not also affected by the fires.”
For example, she says if an organization is looking for a repair business to fix a burned warehouse, maintenance companies are currently so overloaded that clients are facing months-long delays.
Volatile winds are also throwing a wrench into continuity managers’ plans. Organizations were receiving hourly updates on the fires’ progress, which meant business continuity professionals could not plan days in advance but mere hours, and they had to be ready to adjust those plans at a moment’s notice, Geerlings says.
The widespread nature of the fires is forcing continuity planners to think more broadly and creatively for solutions. Regional backup suppliers are likely just as affected by the fires as their clients, so organizations should think about leveraging suppliers and partners in different states or regions. They could send certain jobs to be processed in a different area of the country unaffected by the fires, Geerlings says.
Some organizations are even considering adding their competitors into their business continuity plans, she adds. Especially for organizations without remote work options, such as manufacturing organizations that require physical assets or equipment, developing a memorandum of understanding (MOU) with a similar competitor could ensure that production does not cease entirely during an extreme weather event or fire.
“Businesses will need to be more creative and come up with plans B, C, and D,” Geerlings says.
Recent active assailant attacks on cultural festivals, entertainment districts, and event venues are causing Americans to second-guess attending large-scale public events, and terrorist incidents and mass attacks are driving concerns globally as well. However, physical threats are not the only risks consumers face at events.
More than one in five Americans say they have cancelled plans or considered cancelling plans to attend a large-scale public event due to concerns about physical attacks, according to the 2019 Unisys Security Index. A large majority (83 percent) of Americans are concerned about a criminal attack at large-scale events such as concerts or sporting events; 50 percent reported being “extremely” or “very concerned” about physical attacks.
Worldwide, 57 percent of survey respondents report being seriously concerned that a criminal attack may affect attendees. Consumers in the Philippines, Malaysia, and Colombia had the highest concerns (86 percent to 74 percent), while consumers in New Zealand, TheNetherlands, and Germany had the lowest concerns (35 percent to 39 percent) about attacks at large-scale events.
Security awareness climbs swiftly after large-scale attacks. Following the attack on two mosques in Christchurch, the percentage of New Zealand survey respondents who said they are seriously concerned about terrorism rose from 29 percent to 51 percent.
Unisys conducted additional research on this topic, diving into more detail in seven countries (Australia, Brazil, Germany, Mexico, Philippines, the United Kingdom, and the United States). The Index found that 39 percent of respondents in those countries said they would think twice about attending a large-scale event, and one-quarter have changed their plans to attend.
“We’re trying to balance safety and security measures with the experience of the fans; we certainly don’t want to do anything to deter that experience,” says Daniel Ward, assistant director of curriculum for the National Center for Spectator Sports Safety and Security (NCS4) at the University of Southern Mississippi. “It’s very easy for someone to stay home and watch an event on their 4K television, so the competition is stiff now. We aren’t going to be able to bring people in if we aren’t making them feel safe and secure and making sure that they are having a good experience.”
Venues are also proactively reaching out for resources and training from the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and its nationwide network of Protective Security Advisors (PSAs), who work with schools, faith-based organizations, and event venues to improve security capabilities through vulnerability assessments, technical assistance, and facilitating training and exercises, says Brian Harrell, CPP, assistant director for infrastructure security at CISA. Recent attacks on crowded places and soft targets have driven increased interest in these services and resources, he adds.
Event security professionals—especially for smaller events or those without permanent venues—should strive to improve their cross-organization information sharing, says James DeMeo, CEO of Unified Sports and Entertainment Security Consulting LLC.
“The threat continuum is ever-evolving and ongoing, in terms of physical security and the integration of technologies,” DeMeo says. “The sharing of information is paramount among key leaders entrusted with duty of care protecting those spaces.”
“Effective communications between law enforcement, venue directors, and security personnel is essential in guarding fans,” he adds. Smaller venues or events might lack the resources that national organizations or associations have, but they can reach out to local fusion centers for information sharing, DHS resources, or educational tools.
Beyond concerns for their physical safety, however, event attendees are also leery of data security when out at concerts, fireworks displays, or sporting events. When asked about data safety at large-scale events, 57 percent of global respondents said they are seriously concerned about having their personal data stolen when using public Wi-Fi at large events. Concerns are highest in Latin America, where 69 percent of respondents fear for their personal data when on public Wi-Fi at events.
While convergence of physical and cyber risks has been a frequent refrain for security practitioners, the 2019 Security Index was the first time Unisys heard similar perspectives from a broad consumer base, says Tom Patterson, chief trust officer for Unisys. Consumers had nearly equal levels of concern regarding cyber and physical or kinetic risks—and their potential interconnectivity—at events.
“To see cyber and kinetic events coming together in consumers’ minds was truly telling and something that we—as an industry—need to address,” Patterson says.
For U.S. survey respondents, 81 percent reported at least some level of concern about theft of their personal data when using public Wi-Fi, and 78 percent were concerned about theft of credit card data via public Wi-Fi.
Globally, 26 percent of attendees who still plan to attend large-scale events will take extra precautions to secure mobile devices and wallets. However, only 15 percent say they are keeping alert for suspicious or threatening behavior.
Patterson advises event attendees keep devices patched and updated before attending events and using virtual private networks (VPNs) or cellular data to reduce Wi-Fi risks. This requires some pre-event preparation, he adds, so venues and event security professionals will need to reach out and advise customers about virtual and physical safety beforehand—without scaring them.
“Most people at a large event will see security right at the beginning when they get there—they’ll go through a metal detector perhaps or have their purse or backpacks checked,” Patterson says. “They’re aware of the security there, but they’re not really aware of the layer after layer after layer of security that goes into these large events.” He recommends peeling back the layers enough to give attendees a glimpse of the effort that goes into event security, which can help improve attendees’ trust in the organization.
One key to improving event attendees’ attentiveness is ensuring they have a way to report suspicious behavior, says Ward. “‘See Something, Say Something’ is a great campaign, a great program, but in many cases, we forget to give them the capability to say something,” he explains. “A lot of venues have used signage in prominent locations so fans can see where to text something to, or on video boards before an event or during breaks so fans know if they see suspicious behavior or an issue they need to bring up to the venue to text it to this number. We’re giving [them] more tools and resources.
“We do understand that when people come to events, it’s to let their hair down and not to be overly cautious,” he adds. “So we want them to be able to say something to us, but we’ve also increased our capacity to notice things through technology.”
DeMeo recommends emphasizing attendee security education and awareness through campaigns and promotional materials, noting that “an educated fan is a safe fan.”
Venues are combining printed posters, graphics on digital screens, public service announcement videos, and social media messages on top of more traditional posters or season ticket holder emails to connect attendees, employees, vendors, and contracted security personnel with security information, Harrell says. However, it’s essential to share not just how to contact security personnel but why.
“It’s always more impactful when individuals recognize why it’s important for them to report suspicious activity,” he says. “Messages should try to motivate individuals to report suspicious activity—to protect themselves, their family and friends, their community, and the activities that they enjoy participating in, including attending large events.”
Reposted from ABC St. Louis
Thanks to modern technology and some expert detective work, a nearly 400-year-old painting that had long been attributed to an unknown artist in Rembrandt’s workshop has now been judged to have been a work of the Dutch master himself.
For decades, the Allentown Art Museum displayed an oil-on-oak panel painting called “Portrait of a Young Woman” and credited it to “Studio of Rembrandt.” Two years ago, the painting was sent to New York University for conservation and cleaning.
Conservators used a variety of tools, including X-ray, infrared and electron microscopy, to bolster the case that it was the work of one of the most important and revered artists in history.
The scientific analysis “showed brushwork, and a liveliness to that brushwork, that is quite consistent with other works by Rembrandt,” said Shan Kuang, a conservator at New York University’s Institute of Fine Arts who restored “Portrait of a Young Woman.”
Outside experts who examined the 1632 painting after the completion of its two-year restoration concurred with the NYU assessment that it's an authentic Rembrandt.
When “Portrait of a Young Woman” was bequeathed to the museum in 1961, it was considered to be a Rembrandt. About a decade later, a group of experts determined that it had been painted by one of his assistants. Such changes in attribution are not unusual: Over the centuries, as many as 688 and as few as 265 paintings have been credited to the artist, according to Mehalakes.
The museum has not had the painting appraised — and has no intention of selling it — but authenticated works by Rembrandt have fetched tens of millions of dollars.
The painting, currently in the museum’s vault, will go on public display starting June 7.
QUICK LINKS
ConferenceMembershipTraining & CertificationDonate to IFCPP
TRAINING & EVENTS
1305 Krameria, Unit H-129, Denver, CO 80220 Local: 303.322.9667 Copyright © 2015 - 2018 International Foundation for Cultural Property Protection. All Rights Reserved
Contact Us
