Lone Wolves = Good News?

The risk of Islamist "lone wolf" terrorism may be on the rise:

A newly declassified Canadian intelligence report is warning about the emerging threat posed by "lone wolf" Islamist terrorists who operate completely on their own.

Terrorists inspired by al-Qaeda have, in the past, tended to work in cells, but the report says they are beginning to use the solo strategy once associated with the militant far right.

Lone wolves such as Timothy McVeigh can do damage, of course. But they're not going to pull off an attack on the scale of 9/11 or the East Africa embassy bombings. So in a sense, this could be seen as good news. If they don't feel secure gathering together, that's a victory for our counterterrorism efforts.

But there's another view: The idea that this is all a great strategic distraction, to keep us chasing our tails:

Terrorism expert Bruce Hoffman said he believes the Canadian assessment is correct and that the shift is part of a larger strategy to distract and exhaust Western counterterrorism agencies.

"I think it's right but I think this is yet another example of the strategic sophistication of our adversaries in that by encouraging lone wolves, I think they're trying to suck the resources from our security and intelligence services and police departments," he said.

"In other words, if there's a homegrown threat, which is one thing, now there's a lone wolf threat. And I think they're both legitimate. I think part of al-Qaeda's strategy, the jihadi strategy, is to get everyone so consumed with these grassroots threats that it gives greater scope to the real professionals to operate."

Such a view is in harmony with what bin Laden himself said in 2004:

All that we have to do is to send two mujahidin to the furthest point east to raise a piece of cloth on which is written al-Qaida, in order to make the [American] generals race there to cause America to suffer human, economic, and political losses ...

So, what to do? Spend energy on the risk of lone wolves, or continue focusing on preventing the emergence of more organized operations? My vote is for the latter.

Lone wolf attacks, even in a series, would be localized and unlikely to have a lasting effect on the U.S. From a risk-management perspective, the better option may be to continue focusing on preventing the formation of operational cells that could inflict greater damage.

Lead, Follow, or ... Something

Evidence that 9/11 is receding into memory: an article in today's New York Times, describing state and local resistance to DHS' priorities for homeland security funding:

More openly than at any time since the Sept. 11 attacks, state and local authorities have begun to complain that the federal financing for domestic security is being too closely tied to combating potential terrorist threats, at a time when they say they have more urgent priorities.

Local officials do not dismiss the terrorist threat, but many are trying to retool counterterrorism programs so that they focus more directly on combating gun violence, narcotics trafficking and gangs — while arguing that these programs, too, should qualify for federal financing, on the theory that terrorists may engage in criminal activity as a precursor to an attack.

I've long argued that precursor crimes are a good way to target potential terrorist cells. But it depends how it's done. If it's a strategic effort that involves information-sharing in an active search for links to potential terrorism, that's good. But if it's simply an attempt to conflate ordinary crime-fighting with "potential terrorism" (because, well, you never know who might be a terrorist...), then that's not strategic. It would just be a matter of luck. Your effort to stop crime might uncover a terrorist because any type of police work could.

The Seattle chief of police, R. Gil Kerlikowske, said, “If the law enforcement focus at the local level is only on counterterrorism, you will be unable as a local entity to sustain it unless you are an all-crimes operation, and you may be missing some very significant issues that could be related to terrorism.”

Chief Kerlikowske is president of a group of police chiefs from major cities who said in a report last week that local governments were being forced to spend increasingly scarce resources because, they say, Homeland Security did not pay for all the costs. “Most local governments move law enforcement, counterterrorism and intelligence programs down on the priority list because their municipality has not yet been directly affected by an attack,” the report said.

What we're seeing here is two ends of a spectrum, neither of which is appropriate. On the one hand, it's ridiculous to imagine that local law enforcement should exclusively focus on combating terrorism.

And on the other hand, no jurisdiction should ignore the potential for terrorism or erroneously conflate all crime-fighting with counterterrorism. Like any low-probability, high-impact event (an earthquake, a tornado, etc), a potential terrorist attack should be prepared for and prevented and/or mitigated to the degree possible.

Science and Security

I like what they're doing in New Zealand:

Scientists are to work directly with civil defence authorities under a new memorandum designed to improve national emergency management.

The agreement means emergency response agencies will get direct access to scientific data relevant to planning civil defence strategies.

And scientists will have access to emergency scenes to improve their understanding of hazards facing New Zealand.

In emergency situations, the ministry will make space for GNS Science staff in the National Crisis Management Centre...

All too often, science is undervalued as a risk-management resource at the level of policy-making.

On Risk, Soft Targets, Vulnerability, and The Big Picture

Good stuff from Bob Baylor in Losantiville, whose wide-ranging post deals with risk assessment, soft targets, and the efficacy of interdiction efforts (including "see something..." programs discussed a couple of days ago at HLS Watch and right here.)

Using the example of a fictional county commissioner who must prioritize projects, Bob writes:

Often as the saying goes it’s the squeakiest wheel that gets the grease. Prioritization of projects may make sense from a fiscal point of view, however it does not change the fact that many other vulnerabilities may exist but due to a lack a funding must be left until sufficient dollars become available. By addressing vulnerabilities in such a manner, the county commissioner in this example could be increasing the likelihood that their community may be attacked.

Tacticians regardless of their motivations and allegiances look for areas of weakness in their enemies defenses to exploit. Major homeland security projects will call the potential terrorists attention to which structures have been protected and by default which ones have not.

In one sense ... hardening one area against attack may provide the inspiration needed to divine the true area of vulnerability.

Granted, this assumes a relatively high level of sophistication on the part of the adversary. But as we have seen in the past, some terrorist groups are capable of such sophistication.

But regardless of the level of sophistication of the adversary, it's true that they'll try to exploit the areas of vulnerability that they perceive can be successfully attacked. U.S. forces in Iraq have dealt with this problem, as insurgents there constantly shifted locations, targets, and modes of attack.

Bob describes how this tendency to seek softer targets can affect risk:

Going back to my example of the county commissioner, efforts to insure vital areas and critical infrastructures are protected could drive a terrorist to plan an attack from an adjacent location. The location may not have sufficient funding nor have the same risk associated as their neighbor.

For instance, the city water supply may originate from a remote area outside the county and thus susceptible to attack. Taking steps to protect water supplies may cause terrorist planners to note other targets such as power substations, fiber optic cables, or agricultural areas.

Viewed in this light - as an effort to protect targets vs. an effort to exploit them - it's a never-ending game of cat and mouse. Which leads to a few thoughts:

1. Protecting vulnerable assets, in and of itself, is a necessary but never sufficient approach to homeland security. You simply cannot protect everything all at once.
2. Trade-offs are a necessary; assessing and managing risks are critical to homeland security.
3. You have to take other steps to detect and deter. Protection is only one element of prevention. You have to deter adversaries and pre-empt their activities, too.
4. Risk assessment should look beyond jurisdictional borders. Regional thinking is vital, as I suggested in this post a few days ago about the Bay Area's new Regional Emergency Coordination Plan. Because urban, suburban, and rural areas are interlinked with infrastructure networks, what occurs in one can affect the others. Because we are a nation of networks, a given jurisdiction may not have direct control over some of the assets that make it vulnerable.

This is why, as Bob suggests, regional thinking ought not be limited to response, but to prevention as well. A vulnerability in one section of the network can have a widespread effect on the entire network, because all critical infrastructure networks include choke points and critical nodes. As the recent GAO report on maritime security pointed out:

[T]he liquified natural gas (LNG) facility in Everett, Massachusetts is the only facility importing LNG in the Northeast. LNG is very important to the Northeast during heating season because natural gas movement into the Northeast is constrained during the winter because existing pipelines to New England are fully utilized.

A report prepared by the Power Planning Committee of the New England Governor’s Conference, Inc., concluded that if LNG from the Everett facility and satellite operations elsewhere in the region is not available on a peak winter day, the region could have insufficient gas supply to meet the needs of all customers for space heating and some key electric generators. An attack that damages the Everett LNG facility during a cold winter could result in natural gas shortages or price spikes.

Clearly the Everett LNG facility is a critical - and easily recognized - node in the energy supply system of the Northeast. But what other critical nodes affect the Northeast?

Thinking more locally: What critical infrastructure networks are present in your jurisdiction? Oil and gas pipelines? Telecommunications? Electricity? Agriculture?

Now the big questions: Are there any critical nodes in these networks, within the boundaries of your jurisdiction? If so, exactly how critical are those nodes? What would be the impact of losing one of those critical nodes? (Remember the cascading failures of the 2003 Northeast Blackout?)

Are there critical nodes of networks that lie in other jurisdictions, whose loss would cause harm within your own jurisdiction? Water reservoirs? Power stations? Communications assets? Critical transportation assets (e.g., bridges)?

Unless these questions are asked, communities put themselves at greater risk. As Bob puts it:

Too often communities implement systems to reduce terrorist attacks but do so in a vacuum without looking at how such actions may fit into larger strategic plan.

Only when you start looking beyond jurisdictional boundaries does a true understanding of risk become apparent.

We See Nothing? ... We See Nothing?

A very good post from Jonah at HLS Watch today, arguing that all too often our counterterrorism strategy is based on this kind of thinking:


Jonah argues that:

we should beware the tendency to shape our strategy based on the theory that “it could happen.”

Agreed. Although almost anything can happen you simply can't be prepared for everything all at once. (I should point out that DHS Secretary Chertoff, in justifying justify risk-based decision making and funding, constantly makes this point, arguing that it's impossible to protect against all threats.)

Jonah continues:

So it bothered me when Paul J. Browne, an NYPD police spokesman told the New York Times this week, “One call one day may be the one that stops an attempt to destroy the Brooklyn Bridge.” He was justifying the ubiquitous ad campaign across the City’s subway system urging riders to “say something” if they “see something.”

While some crimes were inadvertently uncovered by the callers – ranging from selling false IDs to illegal fireworks peddling – none of the calls resulted from or discovered actual terrorism threats. NYC’s subway riders were applying their own “no-fly list” to other riders. 13,373 callers would have sent fellow riders to secondary, but would have found no terrorists. This is the trickle down effect of “it could happen.”

The real issue, as I see it, is ignorance. When we are ignorant of the context in which we find ourselves, we cannot make good decisions. If we don't know what to look for, we look for anything and everything. As a result, we are likely to focus on the wrong thing, like the dog pictured above.

Jonah is absolutely right that all of this is a net cost. We spend (read: waste) time, energy and resources looking for needles in haystacks. Jonah puts it this way:

But if our homeland is secured by an “anything’s possible” strategy, we’ll wind up doing at least one of three things:

– Going broke
– Tying up anti-terrorism assets with non-threats
– Eroding our sense of community and eventually our ability to be resilient if we are attacked again

None of these outcomes will happen quickly. However, the prospect does force a cost-benefit analysis of a new kind. Is it worth $10 billion to reduce the chance of a successful MANPAD launch against an airliner? Does a terrorism hotline make us safer if we don’t know what to look for?

Risk-based CBA is essential. We are very good at defending against the last attack. Six years after Richard Reid, we are still removing our shoes at the airport. But is this the best way to spend our time and money? Perhaps not.

Other risks rise to the surface, and we have to prepare for them. In a world of finite resources, we have to make choices. The tough part is understanding and communicating the idea that there are some risks we will just have to live with.

There is a tendency to believe that Americans will not accept significant risks. I do not ascribe to this view. While it's true that we've created a society which has greatly reduced our personal risk (due to injury, illness, etc.), we are capable of living with and accepting great risk. We've survived existential threats in the past. With effective leadership, we can face them again.

Note: In an update to his post, Jonah backtracks a bit from his criticism of the "see something, say something" program:

I will concede this: the terrorism hotline serves another potential benefit beyond empowering subway riders. The notion of an overly alert ridership has the potential to introduce enough uncertainty on the part of a perpetrator to second guess the viability of an operation.

I'm still a skeptic. Not because "see something" is inherently a faulty idea, but rather because the person doing the "seeing" lacks critical characteristics that will make their "seeing" effective.

Put another way, the issue is not the alertness of subway riders. The issue is their knowledge level. If we assume that the typical transit attack employs an IED, a terrorist is going to be able to slip past an ignorant public if he does just a little bit of homework.

By way of making the point, let's contrast a bus in Jerusalem and a bus in Brooklyn. In Israel, hard experience and public education campaigns have taught the public what to look for. They are knowledgeable about the observable operational and psychological markers of a bus bombing. As a result, they do a relatively good job of spotting potential bombers (and yet some still can get through). In Brooklyn, however, a largely ignorant public is liable to look for all the wrong things.

If we're going to invest in a "see something" program, we ought to invest in a public education program that is going to create a public that's knowledgeable enough to give a potential terrorist pause - resulting in the deterrent effect that Jonah describes.

Catastrophe Preparation and Response: Be the Strategy

A few interesting points came out in Tuesday's testimony from William Jenkins, the Director of Homeland Security and Justice issues for GAO, in front of the House Committee on Oversight and Government Reform.

Jenkins was discussing the national system for dealing with catastrophic events. Appropriately in my mind, he argues that a more strategic approach is needed - because in spite of all the shuffling that's happened over the past 6 years, it's still clear that we don't truly have an integrated national system for dealing with the risk of catastrophe:

The Comptroller General has suggested one area for fundamental reform and oversight is ensuring a strategic and integrated approach to prepare for, respond to, recover, and rebuild after catastrophic events.

It is important to view preparedness for and response to major disasters as a national system with linked responsibilities and capabilities. This is because effective preparedness for and response to major disasters requires the coordinated planning and actions of multiple actors from multiple first responder disciplines, jurisdictions, and levels of government as well as nongovernmental entities.

In preparing for, responding to, and recovering from any catastrophic disaster, the legal authorities, roles and responsibilities, and lines of authority at all levels of government must be clearly defined, effectively communicated, and well understood to facilitate rapid and effective decision making.

In spite of new plans such as the National Response Plan (NRP), the National Incident Management System (NIMS), and the National Preparedness Goal (NPG) - all of which are currently in the process of being revised - there is, as yet, no clarity, especially between levels of government. Some advanced work (e.g., naming Federal Coordinating Officers and Primary Federal Officials in advance) will help - but it's still incumbent on response agencies at all levels of government to make the personal connections:

There is still some question among state and local first responders about the need for both [the Federal Coordinating Officer (FCO) and Primary Federal Official (PFO)] positions and how they will work together in disaster response. One potential benefit of naming the FCOs and PFOs in advance is that they have an opportunity to meet and discuss expectations, roles and responsibilities with state, local, and nongovernmental officials before an actual disaster, possibly setting the groundwork for improved coordination and communication in an actual disaster.

While the Secretary of Homeland Security may avoid conflicts by appointing a single individual to serve in both [FCO and PFO] positions in non-terrorist incidents, confusion may persist if the Secretary of Homeland Security does not exercise this discretion to do so. Furthermore, this discretion does not exist for terrorist incidents, and the revised NRP does not specifically provide a rationale for this limitation.

And here's something else came out that I need to examine more closely: The lack of full integration with the National Guard:

[T]he types and quantities of equipment the National Guard needs to respond to large-scale disasters have not been fully identified because the multiple federal and state agencies that would have roles in responding to such events have not completed and integrated their plans.

As a liaison between the Army, the Air Force, and the states, the National Guard Bureau is well positioned to facilitate state planning for National Guard forces. However, until the bureau’s charter and its civil support regulation are revised to define its role in facilitating state planning for multistate events, such planning may remain incomplete, and the National Guard may not be prepared to respond as effectively and efficiently as possible. In addition, questions have arisen about the level of resources the National Guard has available for domestic emergency response. DOD does not routinely measure the equipment readiness of nondeployed National Guard forces for domestic civil support missions or report this information to Congress.

Some of the key questions remain only partially answered:

Essentially, all levels of government are still struggling to define and act on the answers to basic, but hardly simple, questions about emergency preparedness and response:

• What is important (that is, what are our priorities)?
• How do we know what is important (e.g., risk assessments, performance standards)?
• How do we measure, attain, and sustain success?
• On what basis do we make necessary trade-offs, given finite resources?

There are no simple, easy answers to these questions. The data available for answering them are incomplete and imperfect. We have better information and a better sense of what needs to be done for some types of major emergency events than for others. For some natural disasters, such as regional wildfires and flooding, there is more experience and therefore a better basis on which to assess preparation and response efforts and identify gaps that need to be addressed.

For its part, DHS has the right idea in promoting regional and multistate planning, but it's still unclear how well it works on the ground:

Through its grant guidance, DHS has encouraged regional and multistate planning and preparation. Planning and assistance have largely been focused on single jurisdictions and their immediately adjacent neighbors. However, well-documented problems with the abilities of first responders from multiple jurisdictions to communicate at the site of an incident and the potential for large-scale natural and terrorist disasters have generated a debate on the extent to which first responders should be focusing their planning and preparation on a regional and multi-governmental basis.

As I mentioned earlier, an overarching national priority for the NPG is embracing regional approaches to building, sustaining, and sharing capabilities at all levels of government. All HSGP applications are to reflect regional coordination and show an investment strategy that institutionalizes regional security strategy integration. However, it is not known to what extent regional and multistate planning has progressed and is effective.

Short answer: We're still muddling through.

A final note on the National Preparedness Goal (NPG), which has enjoyed "interim" status since March 2005, by my count:

FEMA officials have told us that the final version of the NPG and its corresponding documents are currently receiving final reviews by the White House and will be out shortly.

I wonder what "shortly" means.

Former MI5 Head: Jihadist Radicalization Process Speeds Up

In The Daily Telegraph, the former head of Britain's internal intelligence agency, the MI5, says that the radicalization process of jihadists in the UK is speeding up.

Dame Eliza Manningham-Buller, the former director-general of MI5, said the radicalisation of teenage Muslims "from first exposure, to extremism, to active participation in terrorist plotting" was now worryingly rapid.

It was vital that the Government rose to the challenge of trying to change the attitudes that "lead some of our young people to become terrorists".

How to do this? Manningham-Buller advises:

She warned of the "pressing demand" for the police to create a secret network of Muslim spies capable of improving intelligence gathering.

[S]he called on both the police and MI5 to develop their relationship, which she said had created a counter-terrorist organisation "unmatched anywhere in the world".

In creating a network of Muslim spies, is the goal to infiltrate and disrupt potential jihadist groups, or is it to identify and address the root causes of the quickening pace of jihadism? The former is a necessary-but-insufficient short-term solution. The latter is ultimately the key to addressing the threat.

And yet...

The former spy chief also warned that "it is inevitable that some terrorist plots will escape our combined attention," adding: "Even if we have the numbers of personnel engaged in looking at our own citizens as, say, the KGB or the Stasi did during the Cold War, and with the same authoritarian powers, some things would slip under the radar."

Manningham-Buller's warning regarding the inevitability of terrorist attacks is well-founded and appropriate. The idea that the U.S. can eliminate the risk of further terrorist attacks - or even that we already have eliminated it - is a false notion. We run the risk of being lulled into a false sense of security.

Such misperceptions are ultimately dangerous, as they disrupt our ability to respond in a manner consistent with the threat.

Update 2007-07-09: A tip of the cap to Jonah Czerwinski at Homeland Security Watch, who also addresses the radicalization process. Jonah links to a pair of related documents which I'll briefly cover here. First is the recent congressional testimony of Frank Cilluffo, who directs the Homeland Security Policy Institute and George Washington U.

Cilluffo contextualizes the problem:

Radicalization is not a well understood phenomenon, hence greater study of the life cycle of a terrorist – specifically, the process by which an individual becomes motivated to listen to radical ideas, read about them, self-enlist or respond to terrorist recruiting efforts, and ultimately, undertake terrorist activity – is needed in part to identify trigger points and possible points of intervention.

There is agreement that there is no single terrorist profile; however, there are some more general indicators that may indicate whether a young person is susceptible to the siren song of jihadism, such as a desire to join a group, to do something meaningful, to strike back against perceived forces of oppression, etc. (See this post.)

Cilluffo addresses the differences between "homegrown terrorism" in Europe and the U.S.:

[I]t is something of a misnomer to speak of “homegrown terrorism” for the term is suggestive of watertight compartments that do not in fact exist. To the contrary, we live in a borderless world and the threats that we face are similarly transnational. That said, the United States remains in some respects reasonably well situated. Other countries are currently experiencing a more full-blown manifestation of certain dimensions of the problem such as the United Kingdom. In a sense therefore, we have an opportunity to get ahead of the curve and deal proactively with these elements before they have the chance to flourish more vigorously in this country.

It is true that real differences exist between the U.S. and Europe, in terms of the risk of jihadism (See this post as well as this analysis of European jihadism from Foreign Affairs.) But Cilluffo is correct in his assertion that we are becoming borderless.

Internet chat rooms are now supplementing and replacing mosques, community centers and coffee shops as venues for recruitment and radicalization by terrorist groups like al Qaeda. The real time, two-way dialogue of chat rooms has enabled extremist ideas to be shared, take root, be reaffirmed and spread exponentially. By incorporating and manipulating local political grievances – some of which are legitimate – extremists have woven an effective tale of an imaginary “clash of civilizations.” The extremists’ compelling “call to action” based partly on myths and falsehoods begs for the development of an effective counter-narrative that forcefully refutes and responds to the extremists’ own.

[I]t is clear that the U.S. needs to catch up in this cyber-battle of words and ideas. However, unless elements of the counter-narrative emanate from within the Muslim community and are conveyed by voices that are trusted and credible within those communities, the opportunity to achieve impact will be limited at best.

So far it seems that online recruits have not been able to develop robust operational capabilities. The intent is there, but the skills are lacking.

The larger point here is the creation of the counter-narrative. I couldn't agree more.

Cilluffo extends his argument, echoing my sentiments above - that infiltration and disruption are only short-term fixes to the radicalization problem, and that a real solution must address the root causes:

Granted, where appropriate we should seek to deny or disrupt extremist access to and extremist efforts through the Internet via legal and technical means and covert action. At the same time however, it is crucial that we bear in mind wider and deeper goals and themes such as the need to offer an alternative to those who feel alienated and marginalized. Another example is the importance of intelligence work to inform counterterrorism. These underlying or foundational elements merit special consideration as they are critical components of our efforts concerning radicalization writ large.

Importantly for local first preventers, Cilluffo emphasizes the importance of local action to solve the radicalization problem:

[T]he solution sets for the problem under discussion must emanate principally from the grassroots, from local communities, their leaders and the citizens that reside there. Governments at the federal, state, local and tribal levels certainly have a contribution to make however, and there is also a measure of interplay between the public and private sectors that is and will continue to be crucial to combating radicalization at home and elsewhere.

For instance, law enforcement at the local level should develop new relationships and deepen existing ones within Muslim communities as local figures are best placed to identify radicalization at its earliest stages. Cultivated mutual respect and understanding between officials and communities, founded on a solid education about Muslim cultures and Islam, is critical. Notably, in the Fort Dix case, the mosque attended by three of the plotters quickly called an “emergency town hall meeting” to invite law enforcement, other officials, and members of the public “to ask anything they want about the mosque or about Islam, and to publicize a ringing denunciation of terrorism and violence of any sort…”.

Also see this post regarding the relationship between local law enforcement and Muslim communities.

Next, Jonah links to this report from the Future of Terrorism Task Force. Published in January and attributed to 9/11 Commission co-chair Lee Hamilton and the aforementioned Frank Cilluffo, it comes to a similar conclusion as Manningham-Buller:

Like crime or disease, terrorism should be conceived as a chronic problem requiring a sustained and patient strategy, with ever evolving tactics.

Hamilton and Cilluffo also find that radicalization is spreading:

While difficult to measure with precision, it is known that al Qaeda’s ideology is spreading. Per the National Intelligence Estimate, “Although we cannot measure the extent of the spread with precision, a large body of all-source reporting indicates that activists identifying themselves as jihadists, although a small percentage of Muslims, are increasing in both number and geographic dispersion.”

One problem that limits the West's ability to prevent the spread of jihadism is limited knowledge of Islam. As a result, we have a difficult time driving a wedge between the violent jihadists and the broad Muslim community:

Muslim culture, and in particular the Islamic faith, are not widely understood within the Western world. This lack of understanding, coupled with fear of extremist adversaries, taints our ability to relate with the larger and overwhelmingly peaceful and moderate Muslim population, reinforcing misconceptions of and dividing us from those susceptible to radicalization.

But the effort to drive this wedge is best placed at the local level:

The potential rise of self radicalized, unaffiliated terrorists domestically cannot be easily prevented through traditional federal intelligence efforts, and requires the incorporation of state and local solutions. Similarly, the protection of critical assets, as well as the initial response to an attack, are primarily state, local and private sector responsibilities, with federal assets and resources provided as a supplement.

As we carry out our counterterrorism efforts, we can learn important lessons from other nations:

Australian officials, for example, have concluded that protective security measures over the next five years must not become rigid, and both variability and unpredictability must be consciously injected into flexible prevention measures.

Israeli officials highlighted the need for public participation, rather than just awareness, and emphasized that resilience must be built from the bottom up in addition to the top down.

In Britain, officials have worked to inculcate in the public an understanding that there is no such thing as zero risk, and that sometimes even the best efforts of the authorities will not be good enough.

As I see it, the underlying philosophical stance of Hamilton and Cilluffo's argument is best expressed by this passage:

To change hearts and minds – and encourage moderation – we must challenge ideas with ideas. Trust is the most valuable currency we have in this battle because trust underpins all counterterrorism tools (e.g., military, diplomatic/policy, legal, economic and covert action).

What Chertoff Said

DHS Secretary Michael Chertoff said a few things worth noting in a recent speech to the Sacramento Chamber of Commerce. Mostly it's stuff he has said before, but it's good every once in a while to take note of what the guy in charge is saying. So...

On public/private collaboration:

[Emergency preparedness] has to be a public/private partnership because most of the assets and employees which are threatened in any situation, whether it's a potential terrorism attack or a natural disaster, most of those assets and employees are in private hands. ... And therefore, this is really an area where partnership is very important.

On risk management:

[I]n this world, you cannot eliminate risk. ... What we have to do is manage risk.

What do we mean by risk? Well, we look at three things. We look at threats, we look at vulnerabilities, and we look at consequences. We try to weigh where the threats are, where we are most vulnerable, and, perhaps most important, what would the consequences be if a particular threat came to pass.

On viewing security as an investment, rather than a cost:

[T]here is a very important business case to be made with respect to investments in homeland and national security. After all, a good part of what you need to do when you invest your resources in producing economic activity is to protect your investment. You've got to protect your assets, you've got to protect your employees, you've got to protect your business processes and your good will.

And therefore, investment in protection of infrastructure or people against all kinds of threats is very much at the core of your business mission, and that's why I think there is a real confluence of objectives here between government and its responsibility to protect the country, and you as business leaders in your obligation to protect your own investments.

On rail security:

[W]e have focused on the most significant risks to our rail transportation system. One of those is the risk of transportation of hazardous chemicals ...

At the end of last year, we issued a proposed regulation that will require major railroads to improve the monitoring of rail cars that carry toxic inhalation chemicals. Rail companies have to make sure these cars are not left unattended in rail yards, especially where they are near major cities or population centers. They have to be able to track the whereabouts of these cars at all times, and then they have to put these rail cars on the safest, economically practicable routes.

This regulation also illustrates another key element of the way we approach these problems, because it was developed working in partnership with the rail industry and the chemical industry at every step of the process, so that we did have a fair, intelligent and not hysterical risk-based strategy. We didn't simply propose these regulations unilaterally.

This is a pretty sunny summary. Actually, the rules on chemical plant security are quite contentious. (See these posts). And DHS still needs to complete a comprehensive risk assessment of the rail sector. (See these posts.)

The new rules are great for tracking the location of hazardous chemicals on the rails, but railroad companies have only five minutes to share this information with DHS. When local authorities get the information is a different question - and perhaps a more important question, given that local first responders are the ones who have to deal with any incident. And a lot of local communities need better information and preparation regarding their local rail risks. (See this post.)

On emergency preparedness:

[U]nder our National Infrastructure Protection Plan, which is how we work with the private sector to decrease the vulnerabilities in private sector infrastructure, we're developing specific plans to heighten protection for infrastructure in areas like agriculture, drinking water facilities, and dams.

Well, yes. But based on these comments, you'd think the process was smooth and remarkable only for its exemplary collaboration between the public and private sectors. But it hasn't really been that smooth, in part because DHS needs to do a better job of collaborating with the sectors. (See these posts for full details, but here's a notable quotable: "...a lack of trust in DHS and fear that sensitive information would be released are recurring barriers to the private sector’s sharing information with the federal government.") So the plans are getting put into place, but DHS does need to do a better job of listening to its public sector partners.

[P]reparation in advance for the unthinkable, gives you a leg-up in being able to respond when the unthinkable actually comes to pass.

No argument there. Nicely said.

Philosophically, I think Chertoff's emphasis on managing risks, working with private sector partners, and imagining the unimaginable is on target. The sticky parts come when you try to implement policies. Resistance and lack of trust can gum up the best laid plans. That, I think, is DHS' biggest challenge.

Risk on the Rails: An Update

This is an update to this post from a couple of weeks ago:

The Government Accountability Office (GAO) released a new statement on rail security. They continue to prod DHS and the Transportation Security Administration (TSA) to complete the required risk assessment and strategic plans for rail security:

[A]s of March 2, 2007, TSA has not issued the required Transportation Sector Specific Plan and supporting plans for passenger rail and other surface transportation modes, based on risk assessments. Until TSA does so, it lacks a clearly communicated strategy with goals and objectives for securing the transportation sector, including passenger rail.

GAO reiterates its support of a risk-management approach to rail security. While acknowledging the complexity and difficulty of managing risk on the rails, due to the inherently open nature of the rail system itself, the number of stakeholders involved, etc., the GAO continues to point out that, despite making progress, DHS and TSA have not completed the required system-wide risk assessment and resulting strategy:

DHS has made progress in assessing the risks facing the U.S. passenger rail system, but has not issued a plan based on those risk assessments for securing the entire transportation sector and supporting plans for each mode of surface transportation, as required by and in accordance with the National Infrastructure Protection Plan.

TSA expects the 50 largest rail transit agencies to complete security self-assessments in early 2007. According to TSA, the agency is using the results of these assessments to set priorities, and has identified underground and underwater rail infrastructure and high-density passenger rail stations as assets at highest risk.

In short, there's progress but more is needed. TSA continues to assess risk on an ongoing basis (e.g., identifying underground and underwater rail and high-density passenger rail as high-risk assets) without an overall picture of the risk environment on the rails.

Managing Risk on the Rails

It seems that there has been a lot of press lately about rail security. Adding to the pile, the GAO recently released a review of DHS' work so far on the rail sector. It was an update of GAO's September 2005 report on the same subject.

Typical for a GAO report, there's some good news, there's some bad news. The salient point, which is hammered home again and again, is that DHS and the Transportation Security Administration (TSA) need to complete their risk assessment of the rail sector. TSA has worked on a lot of interventions, such as their new proposed rules for the passenger and freight sectors. But without finishing the risk assessment and developing a comprehensive strategy based on risk, who's to say if the rail sector will be as secure as it can be?

Here are a few highlights from the GAO report:

In our September 2005 report on passenger rail security, we recommended, among other things, that TSA establish a plan with timelines for completing its methodology for conducting risk assessments and develop security standards that reflect industry best practices and can be measured and enforced. These actions should help ensure that the federal government has the information it needs to prioritize passenger rail assets based on risk, and evaluate, select, and implement measures to help the passenger rail operators protect their systems against terrorism. … However, as of February 2007, DHS has not provided a formal response indicating if or how it has implemented these recommendations.

In fact, the National Infrastructure Protection Plan (NIPP), released in 2006, specifically requires agencies to develop priorities based on risk assessments:

In fulfilling its responsibilities under the NIPP, TSA must conduct and facilitate risk assessments in order to identify, prioritize, and coordinate the protection of critical transportation systems infrastructure, as well as develop risk based priorities for the transportation sector.

To be fair, TSA has been working on it:

DHS has made progress in assessing the risks facing the U.S. passenger rail system, but has not issued a plan based on those risk assessments for securing the entire transportation sector and supporting plans for each mode of transportation, including passenger rail.

As of February 2007, the [DHS] Office for Grants and Training (OGT) had completed or planned to conduct risk assessments of most passenger rail operators.

But the key is to have a comprehensive, strategic approach to intervention that's based on risk-management. Until you have the whole picture of risk, your interventions (though they may have individual tactical effectiveness) will not form an integrated system and will not reach their optimal level of effectiveness. For example:

In May 2004, TSA issued security directives to the passenger rail industry to establish standard security measures for all passenger rail operators, including Amtrak. However, as we previously reported, it was unclear how TSA developed the requirements in the directives, how TSA planned to monitor and ensure compliance, how rail operators were to implement the measures, and which entities were responsible for their implementation.

The GAO concludes:

Since our September 2005 report, DHS components have taken steps to assess the risks to the passenger rail system, such as working with rail operators to update prior risk assessments and facilitating rail operator security self assessments. According to TSA, the agency plans to use these assessment results to set priorities for securing rail assets deemed most at risk, such as underground and underwater rail infrastructure and high density passenger rail stations. A comprehensive assessment of the risks facing the transportation sector and each mode, including passenger rail, will be a key component of the TSSP and supporting plans for each mode of transportation. Until TSA issues these plans, however, the agency lacks a clearly communicated strategy with goals and objectives for securing the overall transportation sector and each mode of transportation, including passenger rail.

DHS Chief Emphasizes Collaboration, Information Sharing, Risk Management

In a speech by DHS Secretary Chertoff at the 2006 Grants & Training National Conference, Chertoff reasserted some of the department's priorities. First, Chertoff again stressed a collaborative approach across levels of government:

Effective preparedness requires teamwork across all levels of the government and society, and it requires joint planning, coordination, training and execution. We have to have a common approach, a coordinated approach, across all of the phases of what we have to do to create homeland security -- prevention, protection, response and recovery.

In the grant process, this will mean more two-way communication between local authorities and DHS:

It's going to be an iterative back-and-forth process in which you will have an opportunity to absorb our suggestions and come back for a second round before we finalize these arrangements. I'm convinced that this kind of two-way communication is going to go a long way to alleviating some of the frustration that you have rightly expressed in past years.

Chertoff also repeated his emphasis on risk management as a guiding principle for Homeland Security:

I'm going to repeat something I've said a lot in the almost two years I've been on this job, which is the core principle that animates what we do at DHS, and that is risk management. It is a recognition of the fact that management of risk is not elimination of risk. There is no elimination of risk in life, and anybody who promises every single person protection against every threat at every moment in every place in the country is making a false promise.

What we do have to do is identify and prioritize risks -- understanding the threat, the vulnerability and the consequence. ... So we have to invest our resources that balance the need to give the most to the high risk areas, but also to make sure that everybody is getting a basic level of capability to do what they need to do to protect Americans in our towns and our rural areas from sea to sea.

Chertoff stressed the primacy of state and local government:

I also want to say, before I discuss what we're going to do, that we have a very keen recognition of the primacy of state and local government in developing the skills and capabilities for preparedness. State and local governments know communities the best. They know their communities much better than the federal government in Washington knows their communities. And therefore, the expertise to tailor planning and capabilities to specific needs best resides with the lowest level of government.

Chertoff, matching the tone of the Information Sharing Environment Implementation Plan, emphasized state and local fusion centers as a primary means of "vertical" information sharing (also see Monday's post on the ISE plan):

One of the critical insights we've had is that we have to do, not only a better job of horizontal sharing, as we have succeeded, I think, in doing over the last five years, but we have to do more in terms of vertical sharing. And that's, by the way, not a one-way street. It's not just us pushing information down to you; it's you -- helping you collect and push information up to us because increasingly the threats we have to worry about are not merely those that come from overseas, but homegrown threats of the kind, for example, that the United Kingdom has lately faced in 2005 and 2006 with some of the homegrown plots that came to light over there.

One of the keys to moving this vertical pathway in information sharing -- are fusion centers that are now being created in many of the states and the major urban areas in this country. We see a tremendous value in having a national network of linked intelligence fusion centers to facilitate the two-way sharing of information, and we look forward to enabling and assisting the creation and development of those fusion centers.

One of the things, for example, we're in the process of doing is deploying DHS intelligence and analytic personnel to all the major fusion centers, and getting that done by the end of 2008. We're already getting that done in a number of major cities. This will allow us to build a vertical network to match the horizontal network of intelligence and information sharing for all of our communities across the country.

Chertoff identified interoperable communications systems as one of the department's goals for the coming year:

[W]e are determined to ensure that the Urban Area Security Initiative cities, the major cities, have inter-operable communications in effect by the end of this coming year, and that all states have inter-operable communications in effect by the end of 2008. ... The bottom line is we have to be able to communicate during a disaster, and this remains a priority for all of us. We're going to get it done.

He also stressed NIMS compliance:

Another goal is NIMS compliance. We're well on our way to NIMS compliance all across the nation.

Also, DHS and DOD have collaborated on plans for responding to the 15 disasters in the National Planning Scenarios:

And perhaps even more important, we have begun working with DOD what we call a deliberative planning process for 15 major catastrophic national planning scenarios, which we would need to plan against if there were truly a catastrophe in this country.

GAO: Homeland Security Issues for Congressional Oversight

The GAO issued a report for the upcoming 110th Congress on issues that the GAO thinks will require Congressional attention. Not surprisingly, many issues deal with homeland security. They include:

Ensure the Effective Integration and Transformation of the Department of Homeland Security:

After its creation in 2003, the Department of Homeland Security (DHS) had to transform 22 agencies—several with major management challenges—into one department. ... The areas GAO identified as at risk include planning and priority setting; accountability and oversight; and a broad array of management, programmatic, and partnering challenges.

Enhance Information Sharing, Accelerate Transformation, and Improve Oversight Related to the Nation’s Intelligence Agencies:

Since September 11, 2001, the nation has made some progress in fixing a major vulnerability—intelligence and law enforcement agencies’ failure to “connect the dots” and share information on the terrorists. ... But progress has been slow in some key areas, including implementing the policies needed to govern information sharing. ... Without continued congressional oversight of these issues, the progress and results of the many requirements and initiatives will remain unclear.

Enhance Border Security and Enforcement of Existing Immigration Laws:

[S]uccessful implementation of these steps has often been hampered by inadequate planning and guidance, misaligned priorities and resources, and outdated information technology systems. Additional congressional oversight can help ensure that travel document, border security, and immigration enforcement initiatives are yielding improved national and economic security for our nation’s citizens.

Strengthen Efforts to Prevent the Proliferation of Nuclear, Chemical, and Biological Weapons and Their Delivery Systems (Missiles):

Additional congressional oversight can help assess the effectiveness of these activities and how U.S. resources might be better planned and managed to achieve nonproliferation goals.

Ensure the Effectiveness and Coordination of U.S. International Counterterrorism Efforts:

[T]he Congress has an important role to play in overseeing the implementation of these [9/11 Commission] recommendations and in assessing the effectiveness and coordination of U.S. diplomatic, military, intelligence, and law enforcement efforts to combat terrorism abroad.

Ensure a Strategic and Integrated Approach to Prepare for, Respond to, Recover, and Rebuild from Catastrophic Events. (Notably, the GAO emphasizes risk management as a guiding principle for dealing with catastrophic events):

Recent events—notably Hurricane Katrina and the threat of an influenza pandemic—have illustrated the importance of ensuring a strategic and integrated approach to catastrophic disaster management. ... Managing risk is also a key component of GAO’s model for managing risk provides a tool to assist the Congress, Department of Homeland Security, and other key players in preparing for and responding to such events.

Key Topics Needing Congressional Oversight

• Ensure that leadership, roles, responsibilities, and authorities are clear, well communicated, and understood and the capacity of the nation to prepare for, respond to, and recover/rebuild from catastrophic events is effectively assessed and exercised.
• Determine the extent to which relevant federal and state organizations consider risk-based factors when making management and resource decisions relating to catastrophic events.
• Identify and track the types and amount of federal assistance provided for addressing catastrophic events and develop metrics to inform congressional oversight.
• Examine the availability of private insurance for catastrophes and identify ways that the National Flood Insurance Program can improve the sufficiency of its financial resources and funding mechanism, mitigate repetitive losses, increase compliance with mandatory purchase requirements, and expedite the Federal Emergency Management Agency’s flood map modernization efforts.

A lot of these issues seriously affect state and local homeland security. It will be interesting to see how new leadership in Congress tackles these issues, and what differences emerge from the approaches taken since 9/11.

$1.2 Billion - But Will It Work?

Yesterday, the Government Accountability Office (GAO) issued a report that was critical of DHS' Domestic Nuclear Detection Office (DNDO), who recently awarded a $1.2 billion dollar contract to a number of contractors for new portal monitors, known as “advanced spectroscopic portal monitors” (ASP), that can detect both the presence and the type of nuclear or radiological material.

DNDO tested ASPs in 2005. They set a goal of identifying highly enriched uranium (HEU) – the main ingredient in a "gun" type nuclear weapon – 95 percent of the time. But the ASP prototypes identified bare HEU only 70 to 88 percent of time. And when the HEU was masked with benign radiological materials, the success rates fell to 53 percent, 45 percent, and 17 percent for the three ASP systems tested.

GAO said:

Despite these results, DNDO did not use the information from these tests in its cost-benefit analysis. Instead, DNDO officials told us that since new portal monitors cannot meet the 95 percent level of performance, they relied on the assumption that they will reach that level of performance sometime in the future.

Moreover, DNDO’s cost-benefit analysis only considered the benefits of ASPs’ ability to detect and identify HEU and did not consider ASPs ability to detect and identify other nuclear and radiological materials.

In other words, DNDO did not consider the ASP portals' effectiveness in identifying radiological materials that would be useful in a dirty bomb, such as Cesium 137 and Cobalt 60.

GAO concludes:

DNDO’s cost-benefit analysis does not justify its recent decision to spend $1.2 billion to purchase and deploy ASP technology.

The lesson of this, as I see it, is that you have to take into account the entire spectrum of risk and reward before deciding on any particular intervention.

In the UK, Risk Management Goes On

The Independent is reporting that British authorities are still recognizing a possible threat in the airplane bomb plot. The police commissioner also explains the decision to intervene, as well as highlighting the ongoing risk management that's taking place in more than a dozen other investigations:

Metropolitan Police Commissioner Sir Ian Blair stressed the seriousness of the threat still facing the country. Referring to the alleged airliner bomb plot, he said: "We have been behind this group of people for some time. What we always have to do is balance waiting to gather more evidence and make sure you get all the people, against the risk to the public by not moving in earlier.
"That's the decision that was reached last Wednesday evening. There's a point where the information reaches a level of concern that means if you don't take action it is indefensible."
He added that many other alleged plots were being investigated. "What is so concerning is that those operations can turn from being what we think is preparatory to what is clearly active in a very short time."

An important question is whether British authorities are getting all the information they need. Reports indicate that there has been good collaboration with law enforcement in Pakistan and the U.S. The question is - Is it enough?

UK Police Monitoring 24 'Major Conspiracies'

Says the Telegraph:

John Reid, the Home Secretary, confirmed yesterday that police and security services were aware of about 24 "major conspiracies". They are believed to be "multi-handed" terrorist plots, such as the alleged plan to blow up transatlantic airliners that led to the arrest of 24 people last Thursday.
Sources say that, on top of the inquiries confirmed by Mr Reid, up to 50 more are being conducted by anti-terrorist police, most of them involving Scotland Yard and MI5. Some relate to fund-raising activity... and intelligence-gathering, such as details of potential targets.

One thing about major terrorist operations is that as the size of the operation increases, it takes an increasing number of people and amount of resources to pull it off. Which means the vulnerabilities increase, too. There are potentially more loose strings that can be pulled.

Early reports say that the first tip in the London airplane bomb plot came from a single concerned citizen in the UK Muslim community. Since this was a big operation, that one tip generated a lot of payoff.

Bomb Plot: UK and US Disagreed on Decision to Intervene?

US and UK investigators differed on the decision to intervene in the British bomb plot, NBC says:

British officials knowledgeable about the case said British police were planning to continue to run surveillance for at least another week to try to obtain more evidence, while American officials pressured them to arrest the suspects sooner.

The sources did say, however, that police believe one U.K.-based suspect was ready to conduct a "dry run." British authorities had wanted to let him go forward with part of the plan, but the Americans balked.

Aside from the timing issue, there was excellent cooperation between the British and the Americans, officials told NBC News.

This seems like a reasonably healthy difference of opinion, based on a judgment as to the imminence of the attack. The decision to intervene is never easy, and a lot of factors have to be weighed.

Update: The New York Times also reported on the issue.

This Was an Easy Decision to Intervene

British authorities had been watching the airplane-bomb conspirators for month, biding their time until they got as much information about the group as possible. This was a reasonable risk-management decision, of course.

The Australian has reported that the decision to intervene came as a slam-dunk, essentially:

"GO now!" The message came from Pakistan and it rattled the British intelligence agents who intercepted it.

The urgent direction was sent early this week to a group of young British Muslims who had been plotting one of the world's biggest-ever terrorist attacks.

Intelligence officials who had been monitoring the group thought they had plenty of time to keep watching them and gathering evidence before safely rounding them up early enough to stop them carrying out their scheme.

But the message from radicals in Pakistan saying "do the attacks now" changed everything, and when it was passed to higher authorities in London on Wednesday night, it sent a jolt through the top levels of the British Government.

Normally, the decision to intervene would be a little more complex, as it would occur earlier in the process. It's risky to wait until an attack is imminent.