Terrorism presents a complex set of security problems. That's easy to see in the welter of discussion about the recent attempted bombing on a plane flying from Amsterdam into Detroit. The media and blogs are poring over the many different security systems implicated by this story. Unfortunately, many are reviewing them all at once, which is very confusing.
Each security system aimed to protect against terror attacks and other threats involves difficult and complex balancing among many different interests and values. Each system deserves separate consideration, along with analysis of how they interact with one another.
A helpful way to unpack security is by thinking in terms of "layers." Calling it security “layering” is a way of describing the many different practices and technologies that limit threats to the things we prize. (It’s another lens on security, compatible with the risk management framework I laid out shortly after the Fort Hood shooting.)
Let's think about some of the security layers deployed to protect people on airplanes against someone like the individual who sought to bomb this flight into Detroit. There are many different security layers. Examining how they worked or failed positions us to tune our security systems better for the future.
It would make sense to start with the security measure that ultimately ceased the attack---human intervention---and move out layer-by-layer from there. But we should actually start by pondering what course events might have followed if the attack hadn't been thwarted when it was.
The design of airplanes is a security layer that this event did not implicate. Few people are aware that planes are designed to survive damage---even significant damage---and still remain aloft. The seat assignment of this would-be bomber comes into play here, of course. Did he seek out a seat along the wing intending to damage fuel tanks, or was it just a chance assignment? We don't know yet.
Depending on how events might have unfolded in the event of an actual blast, various other layers may have come into play: pilot training, other design elements of the plane like redundant controls, availability of first aid equipment, flight crew training, and so on.
The good news---worth stating again because much commentary overlooks it---is that this plot failed.
The security layer we credit most for its failure is the direct intervention of other passengers. People who discuss only government programs or policies overlook an important, forceful, and highly adaptive security layer: empowered individuals. We should not prefer to rely on this kind of human intervention, of course---it kicks in far too late for comfort. But it is there, and in this case it worked.
Next, there is weapons detection. The consensus is strong that this layer failed, but this layer did some work, which also shouldn't be overlooked.
To get it past anticipated security checks, the "bomb" had to be modified in a way that ultimately reduced it to a far less dangerous incendiary device. It wasn't human intervention alone, but the combination of the weapons detection layer and the human layer that foiled the plot.
Nonetheless, given the consensus that weapons detection failed outright, it is likely that millimeter wave scanning (aka "strip-search machines") will see broader adoption in air security, trumping privacy concerns that had dealt it some setbacks.
Another layer---more clearly a failure---was the watch list/no-fly list system (or systems). Watch-lists are porous when they're at their best: They can only catch people already known to be threats, and then only those who are accurately identified at the airport.
Secretary Napolitano originally said that there wasn't specific derogatory information to justify placing this person on a no-fly list, but unfolding reporting suggests that this was not the case. I agree that watch-listing failed, but I struggle to imagine how it could actually succeed. What general rule, administered on the scale required, could properly deny boarding to genuine attackers without unacceptably denying travel to thousands and thousands of non-attackers every year? Making sense of watch-listing is difficult, and it's no surprise to me that this security layer failed.
A sibling layer is visa management. Unlike the last-minute decision whether or not to allow a person onto a plane, visa applications can be examined with some leisure, using not only lists of derogatory information but also information gathered from applicants and other sources.
Foreign nationals have no right to enter the United States, and the decision to exclude people seems well placed at this layer compared to last-minute use of watch-lists or no-fly lists. By comparison to authorities in the UK, who evidently excluded him, it appears to have been error to allow the Detroit bomb plotter to have kept his U.S. visa. This is yet another security issue deserving investigation.
Other security layers, of course, include whatever intelligence might have been picked up in Yemen and whatever actions might have been taken in light of it.
Are there more layers of security to examine? Undoubtedly there are.
One of interest to me might be called the "strategic layer"---steps to deny terrorists the strategic gains they seek. It is unclear what goal, if any, the Detroit bomb plotter had, but U.S. National War College professor of strategy Audrey Kurth Cronin identifies a number of "strategies of leverage" terrorism seeks to exploit.
Terrorists are weak actors, unable to muster conventional forces that threaten a state directly. So they try to use the power of the states they attack to achieve their aims. Provocation is an example---getting a state to overreact and undercut its own legitimacy. Polarization is another: Most often in domestic contexts, terror attacks can drive wedges among different ethnic, religious, or cultural groups, destabilizing the state and society.
Mobilization is the strategy of leverage most likely at play here---seeking to recruit and rally the masses to a cause. There's no argument that this alienated loner is an articulate strategist, of course, but his attack could signal the importance of terrorism to a worldwide audience, making terrorism more attractive to opponents of U.S. power.
Even a failed attack could send such a signal if U.S. government authorities allow it. I wrote in an earlier post how their reactions will dictate the "success" or "failure" of this attack as terrorism.
As to the strategic layer, I believe that, amid programmatic and policy failures, President Obama is due credit for his handling of communications. It was very pleasing to see a Washington Post story Monday headlined: "Obama Addresses Airline Security in Low-Key Fashion." He is obligated to respond to domestic demands for communication, of course, but declining to exalt terrorism and this incident should not earn him demerits. It should earn him applause.
The alternative---hustling the president of the United States in front of cameras to make incautious statements---would send an unfortunate signal to the world: Any young man, from anywhere across the globe, can poke the president of the United States in the eye, even if his attack on a U.S. target fails. Such a message would invite more terrorist acts.
Attacks not mounted aren't measured, of course, but attacks would likely increase if it appeared that attacking the U.S. and its interests could visibly fluster the U.S. president. The discipline shown by the White House during this event is an important contribution to our security from the next attack. Politicians beneath President Obama's grade should take a lesson and control their reactions as well.
Next, I hope to see communications that subtly and appropriately portray the underwear bomb plotter as the loser that he is. I have declined to use his name, because this wretch should go namelessly to oblivion. And I am pleased to see that U.S. authorities have released an image of his underwear, half-suspecting that this was done to help make his legacy the indignity of being beaten by Americans and having his underwear displayed to the world.
I am also pleased to see him called the "underwear bomber" in some news reports. I would call him the "underwear bomb plotter" because he only managed to light a fire. This is not to trivialize the attack, but to diminish the standing of the person who committed it. People around the world who might consider terrorism are watching how we react to this event, and I want no one to believe that following in the footsteps of the underwear bomb plotter is a good idea.
Let's also observe that the plane he would have brought down bore innocent women and children. Among them likely were many good Muslim people. Had he succeeded, he would have added to the count of orphaned children in the world. This is not someone to emulate, and official communications should be sounding these themes if they aren't already.
Given how difficult it is to physically foreclose all vectors of attack while maintaining our society as open and free, strategic communications like this---to deny terrorists the rhetorical gains they seek from us---are very important. Portraying this person as a wrongheaded failure is part of the strategic layer in our security, far preferable to treating him as a diabolical anti-hero.
This incomplete discussion is intended only to illustrate the many different security layers at issue in the underwear bomb plot. Thoughtful readers will undoubtedly find gaps and misstatements in this discussion based on more precise facts and better technical or programmatic knowledge than I have.
Thankfully, we have an opportunity to learn about our security from this failed attack. Had it succeeded, it appears that our society remains ill-equipped to maintain an even keel. The intensity of commentary and analysis on this event shows that a successful terrorist would likely knock us off our game. The impulse to do something---anything---would overwhelm us, and we would likely overreact by retaliating imprecisely, by pouring our energy into security measures that don't actually work, and so on. Such missteps are congenial to terrorism, and we should try to avoid them.