July 24, 2012 12:23PM

Serial Innumeracy on Homeland Security

This post was co‐​authored with Mark G. Stewart, professor of civil engineering and director of the Centre for Infrastructure Performance and Reliability at The University of Newcastle in Australia.


At hearings of the Senate Homeland and Governmental Affairs Committee earlier this month, former congresswoman Jane Harman (D‑CA), now head of the Wilson Center in Washington, made a gallant stab at coming up with, and hailing, some homeland security functions that “execute well.”


At the top of Harman’s list was the observation that Customs and Border Protection (CBP) last year stopped more than 3,100 individuals from boarding U.S.-bound aircraft at foreign airports for national security reasons. Since these were plucked out of more than 15 million travelers that went through 15 pre‐​clearance locations overseas, it was, she exclaimed enthusiastically, “like picking needles from a haystack!”


Committee chair Senator Joseph Lieberman (I‑CT) waxed even more enthusiastic about the number, concluding grandly that it “took very sophisticated data systems and implementation of those systems to make that happen” and that “we’re all safer as a result of it.”


This was an exercise in serial innumeracy, of course, because the relevant statistic is not how many individuals were denied entry, but how many of those denied actually presented a security threat. Neither enthusiast presented relevant data, but, judging from the fact that no one apparently was arrested (we’d tend to know if they had been), the number was likely just about zero. Nor was information presented about the problems or costly inconvenience inflicted upon the many who were likely waylaid in error.


Moreover, it is not clear where the Harman/​Lieberman number even comes from. According to Homeland Security officials interviewed by Michael Schmidt for a recent article in the New York Times, only 250 people in each of the last two years were turned away or even pulled aside for questioning as potential national security risks by pre‐​clearance screeners. Maybe CBP is even more “sophisticated” at picking needles from haystacks than Harman and Lieberman give it credit for. Does that mean we’re even safer as a result? Or less so?


Schmidt also supplies information that calls into question the whole pre‐​clearance enterprise. Stimulated in considerable measure by the failed underwear bomber attempt to blow up an airliner flying from Europe to Detroit in 2009, the program is, as Department of Homeland Security chief Janet Napolitano stresses “an expensive proposition.” Although it has been instituted so far only in airports in Canada, the Caribbean, and Ireland, it already costs $115 million a year. Expansion to hundreds of other airports (including the one the underwear bomber actually took off from) is not only costly, but requires a major diplomatic effort because it involves cajoling foreign governments into granting the United States police‐​like powers on their own soil. The program has not foiled any major plots thus far, notes Schmidt, and he pointedly adds that it would scarcely be difficult for a would‐​be terrorist to avoid the few airports with pre‐​clearance screening to board at one of the many that do not enjoy that security frill.


But the main innumeracy issue in all this is that the key question, as usual when homeland security is up for consideration, is simply left out of the discussion. The place to begin is not “are we safer” with the security measure in place, but how safe are we without it.


We have calculated that, for the 12‐​year period from 1999 through 2010 (which includes 9/11, of course), there was one chance in 22 million that an airplane flight would be hijacked or otherwise attacked by terrorists.


The question that should be asked of the numerically‐​challenged, then, is the one posed a decade ago by risk analyst Howard Kunreuther: “How much should we be willing to pay for small reductions in probabilities that are already extremely low?”


Cross‐​posted from the Skeptics at the National Interest.

February 17, 2012 3:03PM

Soviet‐​Style Cybersecurity Regulation

Reading over the cybersecurity legislative package recently introduced in the Senate is like reading a Soviet planning document. One of its fundamental flaws, if passed, would be its centralizing and deadening effect on society's responses to the many and varied problems that are poorly captured by the word "cybersecurity."

But I'm most struck by how, at every turn, this bill strains to release cybersecurity regulators---and their regulated entities---from the bonds of law. The Department of Homeland Security could commandeer private infrastructure into its regulatory regime simply by naming it "covered critical infrastructure." DHS and a panel of courtesan institutes and councils would develop the regulatory regime outside of ordinary administrative processes. And---worst, perhaps---regulated entities would be insulated from ordinary legal liability if they were in compliance with government dictates. Regulatory compliance could start to usurp protection of the public as a corporate priority.

The bill retains privacy-threatening information-sharing language that I critiqued in no uncertain terms last week (Title VII), though the language has changed. (I have yet to analyze what effect those changes have.)

The news for Kremlin Beltway-watchers, of course, is that the Department of Homeland Security has won the upper-hand in the turf battle. (That's the upshot of Title III of the bill.) It's been a clever gambit of Washington's to make the debate which agency should handle cybersecurity, rather than asking what the government's role is and what it can actually contribute. Is it a small consolation that it's a civilian security agency that gets to oversee Internet security for us, and not the military? None-of-the-above would have been the best choice of all.

Ah, but the government has access to secret information that nobody else does, doesn't it? Don't be so sure. Secrecy is a claim to authority that I reject. Many swoon to secrecy, assuming the government has 1) special information that is 2) actually helpful. I interpret secrecy as a failure to put facts into evidence. My assumption is the one consistent with accountable government and constitutional liberty. But we're doing Soviet-style cybersecurity here, so let's proceed.

Title I is the part of the bill that Sovietizes cybersecurity. It brings a welter of government agencies, boards, and institutes together with private-sector owners of government-deemed "critical infrastructure" to do sector-by-sector "cyber risk assessments" and to produce "cybersecurity performance requirements." Companies would be penalized if they failed to certify to the government annually that they have "developed and effectively implemented security measures sufficient to satisfy the risk-based security performance requirements." Twenty-first century paperwork violations. But in exchange, critical infrastructure owners would be insulated from liability (sec. 105(e))---a neat corporatist trade-off.

Read the rest of this post »
September 13, 2011 2:47PM

Bathtubs, Terrorists, and Overreaction

I dislike our national obsession with anniversaries and tendency to convert solemn occasions into maudlin ones; to fetishize perceived collective victimization rather than simply recognizing real victims. That kept me from joining in the outpouring of September 11 reflection, now mercifully receding. But I have reflections on the reflections.

The anniversary commentary has, happily, included widespread consideration of the notion that we overreacted to the attacks and did al Qaeda a favor by overestimating their power and making it easier for them to terrorize. Even the Wall Street Journal allowed some of the bigwigs they invited to answer their question of whether we overreacted to the attacks to say, “yes, sort of.”

Unsurprisingly, however, the Journal’s contributors, like almost every other commentator out there, did not define overreaction. It’s easy and correct to say we’ve wasted dollars and lives in response to September 11 but harder to answer the question of how much counterterrorism is too much. So this post explains how to do that, and then considers common objections to the answer.

That answer has to start with cost-benefit analysis. As I put it in my essay in Terrorizing Ourselves, a government overreaction to danger is a policy that fails cost-benefit analysis and thus does more harm than good. But when we speak of harm and good, we have to leave room for goods, like our sense of justice, that are harder to quantify.

Cost-benefit analysis of counterterrorism policies requires first knowing what a policy costs, then estimating how many people terrorists would kill absent that policy, which can involve historical and cross-national comparisons, and finally converting those costs and benefits into a common metric, usually money. Having done that analysis, you have a cost-per-life-saved-per-policy, which can be thought of as the value a policy assigns to a statistical life—the price we have decided to pay to save a life from the harm the policy aims to prevent.

Then you need to know if that price is too high. One way to do so, preferred by economists, is to compare the policy’s life value to the value that the target population uses in their life choices (insurance purchases, salary for hazardous work, and so on). These days, in the United States, a standard range for the value of a statistical life is four to eleven million dollars. If a policy costs more per life saved than that, the market value of a statistical life, then the government could probably produce more longevity by changing or ending the policy. A related concept is risk-risk or health-health analysis, which says that at some cost, a policy will cost more lives than it saves by destroying wealth used for health care and other welfare-enhancing activities. One calculation of that cost, from 2000, is $15 million.

In a new book, Terror, Security, and Money: Balancing the Risks, Benefits, and Costs of Homeland Security,* John Mueller and Mark Stewart use this approach to analyze U.S. counterterrorism’s cost-effectiveness, generating a range of estimates for lives saved for various counterterrorism activities. I haven’t yet read the published book, but in articles that form its basis, they found that most counterterrorism policies, and overall homeland security spending, spend exponentially more per-life saved than what regulatory scholars consider cost-effective.

That is a strong indication that we are overreacting to terrorism. It is not the end of the necessary analysis however, since it leaves open the possibility that counterterrorism has benefits beyond safety that justify its costs. More on that below.

Read the rest of this post »
July 12, 2011 12:21PM

Put Federal Flood Insurance Out of Its Misery

The House of Representatives is scheduled this week, as early as today, to consider an extension and “reform” of the National Flood Insurance Program (NFIP), administered by FEMA. Since Hurricane Katrina in 2005, the NFIP has been about $18 billion in the hole. And this is from a program that only collects around $2 billion a year in premiums, which barely covers losses and expenses in a normal year. So make no mistake, the NFIP is still on course to cost the taxpayer billions more in the future.


Even before Katrina, the Congressional Budget Office estimated that the NFIP was receiving a subsidy of close to a billion dollars a year. Under CBO’s optimistic projections, the House’s reform bill would increase NFIP revenues by about $4 billion over the next ten years, making only a small dent in the program’s current deficit.


The projected cost savings could potentially be lost by the expansion of the NFIP in the House bill. Yes, you read that correctly. Despite being deep in debt, the House is proposing to expand the coverage, and hence the risk, underwritten by the NFIP. For instance, the reform bill adds coverage for living expenses and “business interruption expenses,” as well as increasing the coverage limit from $350,000 (250k for structure and 100k for contents) to about $520,000 per home.


Such a massive expansion of coverage would likely drive out the existing providers of excess flood insurance coverage. And yes, you also read that correctly: there are a handful of insurers that offer private flood insurance. There is absolutely no reason that the private market could not offer flood insurance. Yes, rates might go up for the highest risk properties, but they would likely go down for others (and clearly reduce costs to the taxpayer). And given the high administrative costs of the NFIP (about 30 percent of premiums go directly to private insurance companies to help run it), it is likely that a completely private system of flood insurance would be cheaper.


In the aftermath of the housing bubble and its extreme costs to the taxpayer, we should eliminate the vast array of subsidies for housing construction, including the NFIP. If there’s one thing we should have learned, the underpricing of risk can have disastrous results.

March 28, 2011 9:01PM

The Folly of Succeeding in Libya

Tonight, to sell the illusion of America’s “limited military action” in Libya’s civil war, President Barack Obama insisted that America had a moral imperative to intervene militarily, implying he will do so wherever foreign leaders commit atrocities against their people. This latest mission in the name of “humanitarian imperialism” is extremely dangerous. In fact, if all goes well in Libya, it might be just as bad as if we fail.


Consider, for instance, if I walked through a wall of fire and came out the other side unharmed. Although I came out safe and sound, my decision to walk through the wall of fire was still misinformed. My good outcome was simply one among a host of potentially terrible outcomes. After all, if I were to walk through that wall of fire again and again, given the danger and level of risk, I would end up with many more bad outcomes than good outcomes.


In this respect, and in terms of our external security commitment to Libya, what matters is not necessarily a good outcome, but making a good decision in the face of various options. Thus, even a narrow and limited military engagement does not mean an absence of risk; one need only reference our “narrow and limited” military engagement in Vietnam to understand the danger of foreign gambles. If indeed our military can be ordered by the president to any corner of the globe, for the advance of human rights and in the absence of vital American interests, then the repercussions of our latest intervention could reverberate well beyond Libya.

October 12, 2010 10:47AM

The Court Tackles a Hard Case: Implications for ObamaCare?

The Supreme Court hears oral argument today in an important pre‐​emption case, Bruesewitz v. Wyeth, which asks whether the National Vaccine Injury Compensation Act of 1986 pre‐​empts state law “design defect” suits brought against vaccine manufacturers. I’ve discussed this complex case more fully in an op‐​ed at the Daily Caller, but in a nutshell, Congress passed the Act to address the risks inherent in vaccinations through a federal no‐​fault “Vaccine Court” rather than through the vagaries of state tort law. It did so because the inability to make vaccines entirely safe, plus uncertainty surrounding causation, coupled with the penchant of state juries to discount those issues in favor of sympathetic plaintiffs, had rendered most manufacturers unwilling to produce needed vaccines at reasonable costs. 


In drafting the statute, however, Congress left things unclear, to put it charitably. Thus, the Court will have to make sense of this language:

No vaccine manufacturer shall be liable in a civil action for damages arising from a vaccine‐​related injury or death associated with the administration of a vaccine… if the injury or death resulted from side effects that were unavoidable even though the vaccine was properly prepared and was accompanied by proper directions and warnings.

Although the Act allows victims to sue over manufacturing defects, conduct that would subject a manufacturer to punitive damages, and a manufacturer’s failure to exercise due care, nowhere does it define “unavoidable” — and there’s the nub of the matter. In the case before the Court, a three‐​judge Third Circuit panel decided unanimously for Wyeth, as did the district court. But in another case five months earlier, a nine‐​member Georgia Supreme Court, facing similar facts, decided unanimously for the plaintiff.

And behind it all is the question whether Congress should have pre‐​empted state law in the first place. It probably should have here, but that’s a close call. And the implications for ObamaCare are not absent in this case, which could be a portent of the complex and uncertain litigation that lies ahead if the scheme is not repealed. As I say at the outset of my post, hard cases make bad law, but bad law too makes hard cases, and this is one. Does anyone think that ObamaCare is anything but bad law? We’ll know once we figure out “what’s in it,” as the lady said.

September 23, 2010 8:37AM

‘New Food Safety Bill Could Make Things Worse’

That’s not just my view; that’s the view of writer Barry Estabrook, an ardent critic of the food industry (“Politics of the Plate”), writing at The Atlantic. You needn’t go along completely with Estabrook’s dim view of industrialized agriculture to realize he’s right in one of his central contentions: “the proposed rules would disproportionately impose costs upon” small producers, including traditional, low‐​tech and organic farmers and foodmakers selling to neighbors and local markets. Even those with flawless safety records or selling low‐​risk types of foodstuff could be capsized by new paperwork and regulatory burdens that larger operations will be able to absorb as a cost of doing business. (Earlier here and here.)


Things could reach a showdown any day now. The food safety bill had stalled in the Senate under criticism from small farmer advocates, as the New York Times acknowledged the other day in an absurdly slanted editorial that somehow got printed as a news article. Now Harry Reid is talking about forcing the bill through before the midterms. Significantly — as advocates of the bill trumpet — large foodmakers and agribusiness concerns have signed off on the bill as acceptable to them. Well, yes, they would, wouldn’t they?

I was on TV the other week (Hearst news service) trying to make a few of these points. I borrowed my closing line from an excellent Steve Chapman column, which I was unable to credit on air, but can credit here.