[Infowarrior] - GovExec Mag: Security Theater

[Richard Forno]

 FEATURES Security Theater
By Zack Phillips zphillips at govexec.com Government Executive August 1, 2007
http://www.govexec.com/features/0807-01/0807-01s3.htm

There's little downside to being alarmist about terror, so we spend too much
on measures that evoke feelings of security without actually improving it.

At the time, it seemed reasonable. Richard Reid tried to ignite explosives
hidden in his shoe while aboard a December 2001 flight from Paris, so
Congress banned butane lighters on planes.

But in retrospect, the costs of the ban outweighed the benefits. Airport
retailers had to stop selling lighters. Lighter vendor Zippo Manufacturing
Co. laid off more than 100 workers in part because of the prohibition.
Transportation Security Administration screeners at one point had to
confiscate 30,000 lighters every day, quadrupling the amount of garbage the
agency had to dispose of. TSA even had to hire a contractor to help with all
the extra trash.

Meanwhile, the security benefit was minimal. Passengers were allowed to
bring matches on board planes, so a determined bomber still could ignite
explosives. TSA Administrator Kip Hawley later acknowledged that the search
for lighters distracted screeners from the much more important task of
watching for explosives and bomb components. As of Aug. 4, Hawley announced
in late July, the ban will be lifted.

Author and security consultant Bruce Schneier has dubbed such
cost-ineffective measures "security theater" because they evoke feelings of
security without actually improving it. But it's easy to understand how the
lighter ban came to pass. Lawmakers wanted to show voters they were doing
something in response to Reid and the Sept. 11 terrorist attacks. Airlines
were eager to restore confidence and happy to let the federal government
take on the cost and responsibility of baggage screening. Neither had a
motivation to argue that shoe bombers did not represent a serious enough
threat to aviation to merit the lighter ban, or even to ask the question of
whether they posed such a threat. Alarm overpowered reasonable cost-benefit
analysis and a measured response.

Welcome to homeland security, where everyone has an incentive to exaggerate
threats. A Congress member whose district includes a port has little to lose
and much to gain by playing up the potential for container-borne terrorism.
A city with a dam talks up the need to protect critical infrastructure. A
company selling weapons-detection technology stresses the vulnerability of
commercial aviation. A civil servant evaluating homeland security grant
applications has an interest in over-estimating dangers that might be
addressed by grantees rather than denying funding and risk blame in the
event of a disaster.

Each has an incentive to be alarmist. Hardly any of the players has good
reason to contemplate terrorism reasonably or to consider threats in terms
of probability and finite budget resources. That lonely job falls to the
Homeland Security Department, which, four years after its creation, is just
beginning to integrate the complicated notion of risk analysis into its
work. Most observers credit Homeland Security Secretary Michael Chertoff
with talking enough about risk - not just threats - to bring some
improvement. But they also say the climate of fear makes it nearly
impossible to have a dispassionate discussion about the real threat of
terrorism and the response it truly merits.
Overblown

John Mueller suspects he might have become cable news programs' go-to foil
on terrorism. The author of Overblown: How Politicians and the Terrorism
Industry Inflate National Security Threats, and Why We Believe Them (Free
Press, 2006) thinks America has overreacted. The greatly exaggerated threat
of terrorism, he says, has cost the country far more than terrorist attacks
ever did.

Watching his Sept. 12, 2006, appearance on Fox & Friends is unintentionally
hilarious. Mueller calmly and politely asks the hosts to at least consider
his thesis. But filled with alarm and urgency, they appear bewildered and
exasperated. They speak to Mueller as if he is from another planet and
cannot be reasoned with.

That reaction is one measure of the contagion of alarmism. Mueller's book is
filled with statistics meant to put terrorism in context. For example,
international terrorism annually causes the same number of deaths as
drowning in bathtubs or bee stings. It would take a repeat of Sept. 11 every
month of the year to make flying as dangerous as driving. Over a lifetime,
the chance of being killed by a terrorist is about the same as being struck
by a meteor. Mueller's conclusions: An American's risk of dying at the hands
of a terrorist is microscopic. The likelihood of another Sept. 11-style
attack is nearly nil because it would lack the element of surprise. America
can easily absorb the damage from most conceivable attacks. And the
suggestion that al Qaeda poses an existential threat to the United States is
ridiculous. Mueller's statistics and conclusions are jarring only because
they so starkly contradict the widely disseminated and broadly accepted
image of terrorism as an urgent and all-encompassing threat.

American reaction to two failed attacks in Britain in June further
illustrates our national hysteria. British police found and defused two car
bombs before they could be detonated, and two would-be bombers rammed their
car into a terminal at Glasgow Airport. Even though no bystanders were hurt
and British authorities labeled both episodes failures, the response on
American cable television and Capitol Hill was frenzied, frequently
emphasizing how many people could have been killed. "The discovery of a
deadly car bomb in London today is another harsh reminder that we are in a
war against an enemy that will target us anywhere and everywhere," read an
e-mailed statement from Sen. Joe Lieberman, I-Conn. "Terrorism is not just a
threat. It is a reality, and we must confront and defeat it." The bombs that
never detonated were "deadly." Terrorists are "anywhere and everywhere."
Even those who believe it is a threat are understating; it's "more than a
threat."

Mueller, an Ohio State University political science professor, is more
analytical than shrill. Politicians are being politicians, and security
businesses are being security businesses, he says. "It's just like selling
insurance - you say, 'Your house could burn down.' You don't have an
incentive to say, 'Your house will never burn down.' And you're not lying,"
he says. Social science research suggests that humans tend to glom onto the
most alarmist perspective even if they are told how unlikely it is, he adds.
We inflate the danger of things we don't control and exaggerate the risk of
spectacular events while downplaying the likelihood of common ones. We are
more afraid of terrorism than car accidents or street crime, even though the
latter are far more common. Statistical outliers like the Sept. 11 terrorist
attacks are viewed not as anomalies, but as harbingers of what's to come.
Demystifying Security

Sept. 11 was so dramatic and scary that even suggesting that some of the
resulting fear is unjustified seems blasphemous. Indeed, the release in July
of a new National Intelligence Estimate and its reports of a resurgent al
Qaeda served to renew and stoke those fears. But the point is not that
terrorists don't exist, or that terrorist attacks won't happen. It's that
the pervasive alarm about terrorism obscures the most important question the
nation must grapple with: "What level of protection is enough?" Seeking 100
percent security is quixotic. There always will be some risk, but how much
can we live with?

This question remains unanswered because the political climate created by
alarmists, however well-intentioned, prevents it from being raised. Those
who try are quickly punished. Democratic presidential candidate John Kerry
said in 2004 that the goal should be to reduce terrorism to the level of
organized crime - a nuisance but not "the focus of our lives." The Bush
campaign immediately pounced, calling Kerry "unfit to lead," and he never
used such rhetoric again.

The question "How much risk can we live with?" cuts to the heart of homeland
security because the answer should guide the way government spends money,
the primary tool for fighting terrorism. We simply cannot protect
everything, and because budget resources are limited, spending security
money protecting one asset means leaving another vulnerable. We must spend
effectively and strategically. That means employing sound cost-benefit
analyses to reduce risk to manageable levels is the only reasonable goal.
Industry has a word for this kind of strategic thinking: risk management.

"Risk management is about playing the odds," writes Schneier in Beyond Fear:
Thinking Sensibly About Security in an Uncertain World (Copernicus Books,
2003). "It's figuring out which attacks are worth worrying about and which
ones can be ignored. It's spending more resources on the serious attacks and
less on the frivolous ones. It's taking a finite security budget and making
the best use of it. We do this by looking at the risks, not the threats."

Schneier wants to demystify security for the masses. He rails against the
paternalism of politicians and pundits who, he says, purport to have the
answers to complex security dilemmas. Schneier, who once implemented
security solutions for the Defense Department and has consulted for other
governments and financial institutions, says there are no right answers.
Security is all about trade-offs, and anyone can make those judgments.
'Peanut Butter' Spending

DHS has received $130 billion in budget authority since 2001 and that
certainly buys more security. But more security does not necessarily make
the country more secure. How much risk has that $130 billion bought down? No
one knows because DHS has neither a long-term, risk-based strategic plan nor
a comprehensive way of measuring risk reduction. Mueller, Schneier and many
others suggest that politics, not risk, determines how the department spends
money. It's not the politics of insider contracts and influence peddling,
but the need to be seen as responding somehow to bad news while at the same
time not knowing which reaction, if any, is appropriate.

Examples of questionable priorities abound. Intelligence and warning
capabilities are less visible than detectors and other more high-profile
security measures, but nearly everyone agrees they are vital to
counterterrorism. Yet such programs account for less than 1 percent of
government spending on homeland security, according to the Congressional
Research Service.

Veronique de Rugy, a fellow at the American Enterprise Institute for Public
Policy Research and a visiting scholar at George Mason University's Mercatus
Center, has studied DHS' budget extensively. She points out that TSA will
have spent more than $14.7 billion in five years screening airline
passengers when it could have reduced most of the risk with a single measure
that will cost only $100 million over 10 years: reinforcing cockpit doors. A
would-be hijacker's options are severely limited if the cockpit is
inaccessible.

De Rugy sees significant problems in DHS grant programs. By the end of
fiscal 2008, DHS will have given $12 billion in grants to state and local
governments without a way to measure whether the investment has reduced the
risk of terrorism. In particular, de Rugy faults congressional requirements
that originally guaranteed each state a minimum allotment. Instead, DHS
should be focusing on a few high-risk areas, she says. "They think 'If we do
something about it, no matter what [good it does], then we can claim we're
on top of everything,' which is exactly the opposite," says de Rugy. "If
you're spread really thin, you're not achieving anything."

Chertoff refers to this as "spreading the money around like peanut butter on
a piece of bread, with everybody getting a little bit." He opposes it. In
his first major address as secretary in March 2005, Chertoff said DHS
actions should be dictated by risk, not by threats, even though threats
capture the focus and imagination of the public and media. "A terrorist
attack on the two-lane bridge down the street from my house is bad, but has
a relatively low consequence compared to an attack on the Golden Gate
Bridge," he said.

The secretary's influence is visible in homeland security grant programs. At
first, the department crudely calculated risk by using population as a
proxy. Later, figures for the extent of threat and the presence of critical
infrastructure were added to the equation. Chertoff introduced a new
equation: Risk is equal to threat times vulnerability times consequence.

For the first time, DHS is considering probabilities in the calculations
that drive grants and other security investments.

And after the department's controversial Urban Areas Security Initiative
grants ignited a firestorm last year, officials refined the program.
Applicants now must submit an investment justification for the funds they
are requesting. The list of critical infrastructure considered when
calculating a city's risk now has only 2,100 facilities - mostly dams, power
plants and other significant structures, according to Chertoff. (The fiscal
2006 list, mocked for including a popcorn factory and a hot dog stand,
included 200,000 assets.) And perhaps most significantly, DHS now rates all
parts of the country as equally vulnerable to attack. Thus, the likely
consequences of an attack account for 80 out of 100 "risk points," making
that the predominant factor in choosing where to allocate $746 million. The
other 20 points are determined by threat analyses.
Risk Simulator

Risk management long has been used in the finance, insurance and engineering
fields. But applying it to counterterrorism is much more difficult because
uncertainty about terrorists' intent and capabilities requires some
guesswork. Chertoff gets credit for elevating the concept of risk, but even
his backers say the department has a long way to go. "I applaud him; he
introduced the idea of risk and it has caught on," says Randy Beardsworth,
formerly DHS' assistant secretary for strategic plans. "But it's caught on
at the 101 level. We need to move to the graduate level - the 501." This is
where risk gets more complicated. Beardsworth says the government is much
better comparing risk at the tactical level - one nuclear plant versus
another - than at the strategic level. Is there more risk associated with
air travel or mass transit, for instance?

Before leaving DHS in September, Beardsworth was leading a working group to
develop a strategic risk tool for Chertoff. The tool would allow him to
compare the risk reduction impact of different programs. In one case, DHS
could spend millions more dollars and still not lower the risk appreciably.
In another case, a small additional investment would reduce risk
substantially. In short, the DHS secretary could articulate clear and
understandable reasons for making investments. "The cynics will say it's all
politics," Beardsworth says. "But as a career guy, I really don't care. This
is the right way to look at how to spend money in the homeland security
world."

Beardsworth says work on the tool stalled after he left. It seems to have
been picked up by the new Risk Management and Analysis Office in the
Directorate for National Protection and Programs created last year. That
office began functioning in April, the first time a single entity has
collected risk information departmentwide. Its first tasks are cataloging
the risk management methodologies DHS component agencies use and developing
a single set of common principles.

"It'd be a nice, neat area to say there's only one [risk] formula," says
Tina Gabbrielli, acting director of the Risk Management and Analysis Office.
"If that were the case, I'd have a pretty easy job. What I learned quickly
is that when it comes to risk and risk analysis methodologies, one size does
not fit all." The long-term goal is to allow the DHS secretary to know, for
instance, how the department can best reduce risk over the next five years.
But Gabbrielli admits that capability is a long way off.

The level of difficulty becomes clear when considering actual applications -
transportation systems, for example. Does an improvement in an airport's
weapons screening technology really buy down any risk? Or does it simply
shift risk, pushing the terrorist to find a way around checkpoints, such as
an employee entrance. Does outfitting commercial jets with systems to defend
against shoulder-fired missiles - which could cost as much as $1 million per
plane - reduce the risk of attack or simply motivate the terrorist to aim
his missile at another target?

This is where a new risk management analysis tool comes in. TSA issued a
solicitation in late June for a computer simulator that would measure the
effectiveness, in terms of risk reduction, of various aviation
countermeasures. The simulator would use terrorist teams and government
teams and would test multiple defense systems to find the most effective
sequence of countermeasures.

The problem, de Rugy points out, is that even though DHS is making progress
implementing risk management, more terrorist attacks likely will occur. And
when they do, the alarm bells will ring, making it nearly impossible to
honestly debate security priorities. "Even if it's, like, 50 people being
killed, which is horrible, it's very likely it's something not worth
investing billions of dollars," she says. "And who's going to be saying
that?"