Tag: Security

How to Prevent a Fort Hood Shooting

I wrote some posts a few months ago (1, 2, 3) about the difficulty of discovering and preventing essentially random events like the Fort Hood shooting. I was pleased by the compliment security guru Bruce Schneier paid them in his recent post, “Small Planes and Lone Terrorist Nutcases.” (Such happy subject matter we get to write about!)

Now comes Radley Balko with a great column illustrating what you get when authorities try to “get ahead” of this problem. “Pre-Crime Policing” tells the story of a gun buyer who had been tagged with the adjective “disgruntled.” A SWAT team appeared on his property, police tricked him into surrendering for a mental evaluation, they illegally entered his home, and they seized his guns.

Says the victim of these invasions, “South Oregon is big gun country. If something like this can happen here, where just about everyone owns a gun, it can happen anywhere.”

Especially if we ask law enforcement to prevent random violence.

Symbols, Security, and Collectivism

The state of Nevada is one of few that is tripping over itself to comply with the REAL ID Act, the U.S. national ID law.

It’s worth taking a look at the sample license displayed in this news report, especially the gold star used on the license to indicate that it is federally approved.

The reasons for “improving” drivers’ licenses this way are complex. The nominal reason for REAL ID was to secure the country against terrorism. The presence of a gold star signals that this the card bears a correct identity and that watch-list checking has ensured the person is not a threat.

Don’t be too thrilled, though. The weakness of watch-listing was demonstrated again by the Christmas-day attempt on a Northwest airlines flight. The underpants bomber wasn’t listed, so checking his name against a watch-list didn’t do anything.

The real reason for REAL ID, though, was anti-immigrant fervor. If the driver licensing system distinguished between citizens and non-citizens, the theory goes, possession of a driver’s license can be used to regulate access not just to driving, but to working, financial services, health care, and anything else the government wants. Illegal presence in the country could be made unpleasant enough that illegal immigrants would leave.

Alas, human behavior isn’t that simple. If ‘driven’ to it—(I had to…)—people will get behind the wheel without licenses—and without the training that comes with licensing. Then they’ll crash. When the governor of New York briefly de-linked driver licensing and immigration status in 2007, he cited public safety and the likelihood that insurance rates would fall, to the benefit of New Yorkers. (When the state of New Mexico de-linked driver licensing and immigration status, uninsured vehicle rates in the state dropped from 33 percent to 17 percent.) But the governor suffered withering criticism from anti-immigrant groups and quickly reversed course.

Like linking immigration status and driving, linking immigration status and work through an ID system imposes costs on the law-abiding citizen. Complications and counterattacks raise costs on workers and employers while reducing the already small benefits of such programs. I articulated those in my paper on employment eligibility verification.

REAL ID transfers well-being and wealth from individuals to the state.

But let’s return to this gold star…

The article says that the Nevada ID is becoming one of the hardest in the country to forge. But it’s hard to be sure. The gold star may undermine the anti-forgery goal.

Forgery is the making or altering of a document with the intent to defraud or deceive. The question is not whether the whole document can be made—I’m sure the new Nevada license is bristling with security doodads—it’s whether a document can be made to deceive.

Watch for the people who check licenses to fall into the habit of checking the gold star and taking that as evidence that the document is “good.” By a small but relevant margin, ID checkers will forget to compare the picture on the license to the face of the person presenting it. (Gold star? Go.) Putting a gold star on the license may make forgery easier. It’s not about the technical feasibility of creating the card; it’s how to fool people.

But this gold star. It will be taken as a shorthand for “citizen.” There are examples from the past in which governments used symbols to assign status to populations. It’s easy to go overboard with such comparisons, but the Nevada license, with this gold star, takes a dramatic step toward carving the population into groups—groups that can be divided. Maybe soon two stars will be for military veterans, or people licensed to own firearms. Three stars could be for elected officials.

With this gold star system, a Nevada license-holder is a little less of a free, independent person with rights and privileges based on individual merit. A Nevadan becomes an undifferentiated status-holding subject. We’re a long way from the day when the “gold star” people are assigned to better rail cars, but the idea is that it should never happen. We should reject entirely the tools that could allow the government to do that.

I Told You So?

The story that images of a film star produced by whole-body imaging were copied and circulated among airport personnel in London are a little too good to be true for critics of the technology. It may yet be proven a joke or hoax, and airport officials are denying that it happened, saying that it “simply could not be true.”

But if Bollywood star Shah Rukh Khan was exposed by the technology, it validates more quickly than I expected the concern that controls on body scanning images would ultimately fail.

Here’s how I wrote about the fate of domestic U.S. proscriptions on copying images from whole-body imaging machines in an earlier post:

Rules, of course, were made to be broken, and it’s only a matter of time — federal law or not — before TSA agents without proper supervision find a way to capture images contrary to policy. (Agent in secure area guides Hollywood starlet to strip search machine, sends SMS message to image reviewer, who takes camera-phone snap. TMZ devotes a week to the story, and the ensuing investigation reveals that this has been happening at airports throughout the country to hundreds of women travelers.)

I have my doubts that this incident actually happened as reported, but it is not impossible, and over time misuse of the technology is likely. That’s a cost of whole-body imaging that should be balanced against its security benefits.

Surveillance, Security, and the Google Breach

Yesterday’s bombshell announcement that Google is prepared to pull out of China rather than continuing to cooperate with government Web censorship was precipitated by a series of attacks on Google servers seeking information about the accounts of Chinese dissidents.  One thing that leaped out at me from the announcement was the claim that the breach “was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.” That piqued my interest because it’s precisely the kind of information that law enforcement is able to obtain via court order, and I was hard-pressed to think of other reasons they’d have segregated access to user account and header information.  And as Macworld reports, that’s precisely where the attackers got in:

That’s because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press.

This is hardly the first time telecom surveillance architecture designed for law enforcement use has been exploited by hackers. In 2005, it was discovered that Greece’s largest cellular network had been compromised by an outside adversary. Software intended to facilitate legal wiretaps had been switched on and hijacked by an unknown attacker, who used it to spy on the conversations of over 100 Greek VIPs, including the prime minister.

As an eminent group of security experts argued in 2008, the trend toward building surveillance capability into telecommunications architecture amounts to a breach-by-design, and a serious security risk. As the volume of requests from law enforcement at all levels grows, the compliance burdens on telcoms grow also—making it increasingly tempting to create automated portals to permit access to user information with minimal human intervention.

The problem of volume is front and center in a leaked recording released last month, in which Sprint’s head of legal compliance revealed that their automated system had processed 8 million requests for GPS location data in the span of a year, noting that it would have been impossible to manually serve that level of law enforcement traffic.  Less remarked on, though, was Taylor’s speculation that someone who downloaded a phony warrant form and submitted it to a random telecom would have a good chance of getting a response—and one assumes he’d know if anyone would.

The irony here is that, while we’re accustomed to talking about the tension between privacy and security—to the point where it sometimes seems like people think greater invasion of privacy ipso facto yields greater security—one of the most serious and least discussed problems with built-in surveillance is the security risk it creates.

Wednesday Links

  • Federal judge dismisses charges against Blackwater guards over the killing of 17 in Baghdad. David Isenberg: “The fact that the Blackwater contractors are not getting a trial will only serve to further increase suspicion of and hostility towards security contractors. It is going to be even more difficult for them to gain the trust of local populations or government officials in the countries they work in.”
  • New report shows state and local government workers have higher average compensation levels than private workers.
  • Podcast: “Televising and Subsidizing the Big Game” featuring Neal McCluskey. “Everybody should watch the National College Football Championship because whether you’re interested or not, you are paying for it,” he says.

Terrorism and Security Systems

Terrorism presents a complex set of security problems. That’s easy to see in the welter of discussion about the recent attempted bombing on a plane flying from Amsterdam into Detroit. The media and blogs are poring over the many different security systems implicated by this story. Unfortunately, many are reviewing them all at once, which is very confusing.

Each security system aimed to protect against terror attacks and other threats involves difficult and complex balancing among many different interests and values. Each system deserves separate consideration, along with analysis of how they interact with one another.

A helpful way to unpack security is by thinking in terms of “layers.” Calling it security “layering” is a way of describing the many different practices and technologies that limit threats to the things we prize. (It’s another lens on security, compatible with the risk management framework I laid out shortly after the Fort Hood shooting.)

Let’s think about some of the security layers deployed to protect people on airplanes against someone like the individual who sought to bomb this flight into Detroit. There are many different security layers. Examining how they worked or failed positions us to tune our security systems better for the future.

It would make sense to start with the security measure that ultimately ceased the attack—human intervention—and move out layer-by-layer from there. But we should actually start by pondering what course events might have followed if the attack hadn’t been thwarted when it was.

The design of airplanes is a security layer that this event did not implicate. Few people are aware that planes are designed to survive damage—even significant damage—and still remain aloft. The seat assignment of this would-be bomber comes into play here, of course. Did he seek out a seat along the wing intending to damage fuel tanks, or was it just a chance assignment? We don’t know yet.

Depending on how events might have unfolded in the event of an actual blast, various other layers may have come into play: pilot training, other design elements of the plane like redundant controls, availability of first aid equipment, flight crew training, and so on.

The good news—worth stating again because much commentary overlooks it—is that this plot failed.

The security layer we credit most for its failure is the direct intervention of other passengers. People who discuss only government programs or policies overlook an important, forceful, and highly adaptive security layer: empowered individuals. We should not prefer to rely on this kind of human intervention, of course—it kicks in far too late for comfort. But it is there, and in this case it worked.

Next, there is weapons detection. The consensus is strong that this layer failed, but this layer did some work, which also shouldn’t be overlooked.

To get it past anticipated security checks, the “bomb” had to be modified in a way that ultimately reduced it to a far less dangerous incendiary device. It wasn’t human intervention alone, but the combination of the weapons detection layer and the human layer that foiled the plot.

Nonetheless, given the consensus that weapons detection failed outright, it is likely that millimeter wave scanning (aka “strip-search machines”) will see broader adoption in air security, trumping privacy concerns that had dealt it some setbacks.

Another layer—more clearly a failure—was the watch list/no-fly list system (or systems). Watch-lists are porous when they’re at their best: They can only catch people already known to be threats, and then only those who are accurately identified at the airport.

Secretary Napolitano originally said that there wasn’t specific derogatory information to justify placing this person on a no-fly list, but unfolding reporting suggests that this was not the case. I agree that watch-listing failed, but I struggle to imagine how it could actually succeed. What general rule, administered on the scale required, could properly deny boarding to genuine attackers without unacceptably denying travel to thousands and thousands of non-attackers every year? Making sense of watch-listing is difficult, and it’s no surprise to me that this security layer failed.

A sibling layer is visa management. Unlike the last-minute decision whether or not to allow a person onto a plane, visa applications can be examined with some leisure, using not only lists of derogatory information but also information gathered from applicants and other sources.

Foreign nationals have no right to enter the United States, and the decision to exclude people seems well placed at this layer compared to last-minute use of watch-lists or no-fly lists.  By comparison to authorities in the UK, who evidently excluded him, it appears to have been error to allow the Detroit bomb plotter to have kept his U.S. visa. This is yet another security issue deserving investigation.

Other security layers, of course, include whatever intelligence  might have been picked up in Yemen and whatever actions might have been taken in light of it.

Are there more layers of security to examine? Undoubtedly there are.

One of interest to me might be called the “strategic layer”—steps to deny terrorists the strategic gains they seek. It is unclear what goal, if any, the Detroit bomb plotter had, but  U.S. National War College professor of strategy Audrey Kurth Cronin identifies a number of “strategies of leverage” terrorism seeks to exploit.

Terrorists are weak actors, unable to muster conventional forces that threaten a state directly. So they try to use the power of the states they attack to achieve their aims. Provocation is an example—getting a state to overreact and undercut its own legitimacy. Polarization is another: Most often in domestic contexts, terror attacks can drive wedges among different ethnic, religious, or cultural groups, destabilizing the state and society.

Mobilization is the strategy of leverage most likely at play here—seeking to recruit and rally the masses to a cause. There’s no argument that this alienated loner is an articulate strategist, of course, but his attack could signal the importance of terrorism to a worldwide audience, making terrorism more attractive to opponents of U.S. power.

Even a failed attack could send such a signal if U.S. government authorities allow it. I wrote in an earlier post how their reactions will dictate the “success” or “failure” of this attack as terrorism.

As to the strategic layer, I believe that, amid programmatic and policy failures, President Obama is due credit for his handling of communications. It was very pleasing to see a Washington Post story Monday headlined: “Obama Addresses Airline Security in Low-Key Fashion.” He is obligated to respond to domestic demands for communication, of course, but declining to exalt terrorism and this incident should not earn him demerits. It should earn him applause.

The alternative—hustling the president of the United States in front of cameras to make incautious statements—would send an unfortunate signal to the world: Any young man, from anywhere across the globe, can poke the president of the United States in the eye, even if his attack on a U.S. target fails. Such a message would invite more terrorist acts.

Attacks not mounted aren’t measured, of course, but attacks would likely increase if it appeared that attacking the U.S. and its interests could visibly fluster the U.S. president. The discipline shown by the White House during this event is an important contribution to our security from the next attack. Politicians beneath President Obama’s grade should take a lesson and control their reactions as well.

Next, I hope to see communications that subtly and appropriately portray the underwear bomb plotter as the loser that he is. I have declined to use his name, because this wretch should go namelessly to oblivion. And I am pleased to see that U.S. authorities have released an image of his underwear, half-suspecting that this was done to help make his legacy the indignity of being beaten by Americans and having his underwear displayed to the world. 

I am also pleased to see him called the “underwear bomber” in some news reports. I would call him the “underwear bomb plotter” because he only managed to light a fire. This is not to trivialize the attack, but to diminish the standing of the person who committed it. People around the world who might consider terrorism are watching how we react to this event, and I want no one to believe that following in the footsteps of the underwear bomb plotter is a good idea.

Let’s also observe that the plane he would have brought down bore innocent women and children. Among them likely were many good Muslim people. Had he succeeded, he would have added to the count of orphaned children in the world. This is not someone to emulate, and official communications should be sounding these themes if they aren’t already.

Given how difficult it is to physically foreclose all vectors of attack while maintaining our society as open and free, strategic communications like this—to deny terrorists the rhetorical gains they seek from us—are very important. Portraying this person as a wrongheaded failure is part of the strategic layer in our security, far preferable to treating him as a diabolical anti-hero.

This incomplete discussion is intended only to illustrate the many different security layers at issue in the underwear bomb plot. Thoughtful readers will undoubtedly find gaps and misstatements in this discussion based on more precise facts and better technical or programmatic knowledge than I have.

Thankfully, we have an opportunity to learn about our security from this failed attack. Had it succeeded, it appears that our society remains ill-equipped to maintain an even keel. The intensity of commentary and analysis on this event shows that a successful terrorist would likely knock us off our game. The impulse to do something—anything—would overwhelm us, and we would likely overreact by retaliating imprecisely, by pouring our energy into security measures that don’t actually work, and so on. Such missteps are congenial to terrorism, and we should try to avoid them.

Talking about Terrorism

Terrorists are named after an emotion for a reason. They use violence to produce widespread fear for a political purpose. The number of those they kill or injure will always be a small fraction of those they frighten. This creates problems for leaders, and even analysts, when they talk publicly about terrorism. On one hand, leaders need to convince the public that they are on the case in protecting them, or else they won’t be leaders for long. On the other hand, good leaders try to minimize unwarranted fear.

One reason is that we shouldn’t give terrorists what they want. Another is that fear is a real social harm, particularly when it is exaggerated. Stress from fear harms health. It causes bad decisions. For example, if people avoid flying and drive instead the number of added fatalities on the road will quickly surpass the dead from a typical terrorist attack. Most important, excessive fear causes policy responses that often damage the economy without much added safety. Measured in lives on dollars, reactions to terrorism often cost more than the attack themselves.

If leaders talk only about the danger of terrorism and everything they are doing to fight it, without putting danger in context, they may be on safe political ground, but they risk causing or prolonging groundless fear and encouraging all sorts of harmful overreactions. That is the Bush Administration’s counterterrorism record, in a nutshell. If leaders just say “calm down and worry about something more likely to harm you,” they will be butchered politically.

So a reasonable approach is to sound concerned but reassuring. You want to convince people that they are mostly safe without appearing complacent. I don’t like many of this administration’s counterterrorism policies, starting with Afghanistan, but thus far its communication about terrorism is far more sensible than the last administration’s. That includes the aftermath of this attempted Christmas Day attack.

The administration made it clear that it is unacceptable that a guy we just got warned about got onto a plane wearing explosives. But the President also said Americans should be generally confident in their safety from terrorism. He didn’t act as if this incident was the most important thing on his schedule this year or compare the Al Qaeda affiliate in Yemen to the Third Reich or what have you, exaggerating their capability and power. I wish he had gone further and said that detonating explosives smuggled on to a plane is tricky and that flying remains incredibly safe. (Jim Harper will soon have more to say here on the security failures and how to talk about them.)

In a different political universe, the President could describe the terrorist threat honestly. He would say that recent attempted terrorist attacks in the United States show more amateurism and failure than skill and success. He could add that we are fortunate that our greatest enemy, al Qaeda and its fellow-travelers, are scattered and weak compared the sorts of enemies we historically faced. He would sound more like Michael Bloomberg, who told New Yorkers that they had a better chance of being struck by lightening than killed by terrorists, after a particularly inept terrorist plot on JFK airport was uncovered. He could even quote Nate Silver, who calculates that in the last decade of US flights, there was one terrorist incident per 11,569,297,667 miles flown. It’s true, as Kip Viscusi demonstrates, that people don’t think like actuaries. They rightly value different sorts of deaths in different ways, and want more protection against terrorism than other dangers. But knowing the odds is still important in weighing the appropriate amount of concern and forming policy preferences. The president could also have treated voters like grown-ups and pointed out that whatever flaws in airline security that this attempted attack reveals, there is no such thing as perfect safety, and sooner or later even the finest security systems fail.

I also disagree with the argument that the trouble with our airline security or national security policy-making in general is insufficient presidential attention. Overall, we could do with a little more masterly inactivity in security policy, to use an old British phrase. Aviation security is another matter, but I struggle to see how presidential involvement would have fixed this problem. The 9-11 Commission did claim that September 11 occurred because leaders failed to pay sufficient attention to al Qaeda, but there, as in other matters, the Commission is wrong. At least in the executive branch, the attention paid to the threat in the 1990s was quite substantial, as you can see in this essay by Josh Rovner or in my contribution to this book. The historical record shows that the threat was well understood by security officials and the reading public. Time, for example, called Osama bin Laden the most wanted man in the world when they interviewed him in 1998. The trouble, in my opinion, was not misperception but our policies and the difficult and unprecedented nature of problem–a terrorist group ensconced in hostile country that refused to do anything about it.

Getting the line between confidence and vigilance right is not easy, but it starts with acknowledgment that there is such a thing as overreaction. That subject will be the on the agenda for our January 13 counterterrorism forum with James Fallows, State Department Counterterrorism Coordinator Daniel Benjamin, Paul Pillar and others.

*My attempts to explain this stuff to Politico yesterday resulted in some confused and inaccurate uses of my quotes in this story by Carol E. Lee, which unconvincingly compares the Obama’s response to this terrorist attempt to his silly involvement in the Henry Louis Gates arrest fiasco. First, Lee absurdly uses me as example of “predictable” attacks from the right on Obama, when I said I was glad that the President said Americans should feel confident but that I’d have preferred if he’d done it more forcefully by saying flying remains safe and al Qaeda weak. That is more or less the opposite of the predictable take on the right. Then, she says that my views on the President’s response to the attacks referred to his post-press conference golf outing. I was talking about his overall response, or lack thereof, over the last several days. I can’t decipher the meaning of presidential golf.