On Risk, Soft Targets, Vulnerability, and The Big Picture

Good stuff from Bob Baylor in Losantiville, whose wide-ranging post deals with risk assessment, soft targets, and the efficacy of interdiction efforts (including "see something..." programs discussed a couple of days ago at HLS Watch and right here.)

Using the example of a fictional county commissioner who must prioritize projects, Bob writes:

Often as the saying goes it’s the squeakiest wheel that gets the grease. Prioritization of projects may make sense from a fiscal point of view, however it does not change the fact that many other vulnerabilities may exist but due to a lack a funding must be left until sufficient dollars become available. By addressing vulnerabilities in such a manner, the county commissioner in this example could be increasing the likelihood that their community may be attacked.

Tacticians regardless of their motivations and allegiances look for areas of weakness in their enemies defenses to exploit. Major homeland security projects will call the potential terrorists attention to which structures have been protected and by default which ones have not.

In one sense ... hardening one area against attack may provide the inspiration needed to divine the true area of vulnerability.

Granted, this assumes a relatively high level of sophistication on the part of the adversary. But as we have seen in the past, some terrorist groups are capable of such sophistication.

But regardless of the level of sophistication of the adversary, it's true that they'll try to exploit the areas of vulnerability that they perceive can be successfully attacked. U.S. forces in Iraq have dealt with this problem, as insurgents there constantly shifted locations, targets, and modes of attack.

Bob describes how this tendency to seek softer targets can affect risk:

Going back to my example of the county commissioner, efforts to insure vital areas and critical infrastructures are protected could drive a terrorist to plan an attack from an adjacent location. The location may not have sufficient funding nor have the same risk associated as their neighbor.

For instance, the city water supply may originate from a remote area outside the county and thus susceptible to attack. Taking steps to protect water supplies may cause terrorist planners to note other targets such as power substations, fiber optic cables, or agricultural areas.

Viewed in this light - as an effort to protect targets vs. an effort to exploit them - it's a never-ending game of cat and mouse. Which leads to a few thoughts:

1. Protecting vulnerable assets, in and of itself, is a necessary but never sufficient approach to homeland security. You simply cannot protect everything all at once.
2. Trade-offs are a necessary; assessing and managing risks are critical to homeland security.
3. You have to take other steps to detect and deter. Protection is only one element of prevention. You have to deter adversaries and pre-empt their activities, too.
4. Risk assessment should look beyond jurisdictional borders. Regional thinking is vital, as I suggested in this post a few days ago about the Bay Area's new Regional Emergency Coordination Plan. Because urban, suburban, and rural areas are interlinked with infrastructure networks, what occurs in one can affect the others. Because we are a nation of networks, a given jurisdiction may not have direct control over some of the assets that make it vulnerable.

This is why, as Bob suggests, regional thinking ought not be limited to response, but to prevention as well. A vulnerability in one section of the network can have a widespread effect on the entire network, because all critical infrastructure networks include choke points and critical nodes. As the recent GAO report on maritime security pointed out:

[T]he liquified natural gas (LNG) facility in Everett, Massachusetts is the only facility importing LNG in the Northeast. LNG is very important to the Northeast during heating season because natural gas movement into the Northeast is constrained during the winter because existing pipelines to New England are fully utilized.

A report prepared by the Power Planning Committee of the New England Governor’s Conference, Inc., concluded that if LNG from the Everett facility and satellite operations elsewhere in the region is not available on a peak winter day, the region could have insufficient gas supply to meet the needs of all customers for space heating and some key electric generators. An attack that damages the Everett LNG facility during a cold winter could result in natural gas shortages or price spikes.

Clearly the Everett LNG facility is a critical - and easily recognized - node in the energy supply system of the Northeast. But what other critical nodes affect the Northeast?

Thinking more locally: What critical infrastructure networks are present in your jurisdiction? Oil and gas pipelines? Telecommunications? Electricity? Agriculture?

Now the big questions: Are there any critical nodes in these networks, within the boundaries of your jurisdiction? If so, exactly how critical are those nodes? What would be the impact of losing one of those critical nodes? (Remember the cascading failures of the 2003 Northeast Blackout?)

Are there critical nodes of networks that lie in other jurisdictions, whose loss would cause harm within your own jurisdiction? Water reservoirs? Power stations? Communications assets? Critical transportation assets (e.g., bridges)?

Unless these questions are asked, communities put themselves at greater risk. As Bob puts it:

Too often communities implement systems to reduce terrorist attacks but do so in a vacuum without looking at how such actions may fit into larger strategic plan.

Only when you start looking beyond jurisdictional boundaries does a true understanding of risk become apparent.