Homeland Security Watch

Yesterday the Chairman of the House Homeland Security Committee, Bennie Thompson, published in the New York Times a response to the July 21 op-ed in the same paper by DHS Deputy assistant secretary for policy development Stephen Heifetz. Heifetz argued that overlapping Congressional committees and both political Parties are the source of the Department’s inability to “develop — and put in place — a broad risk assessment methodology.”

Subtext: While many authorities and influential groups have called for the consolidation of Congressional oversight of DHS, the Administration has made only mild intonations about the need to do so. It seemed as though the cautious approach was taken because the Executive Branch cannot reorganize the Legislative, and it’s the latter’s business.

Further subtext: The Secretary of Homeland Security only recently called for such a reorganization in testimony before Congress, an assertiveness not seen before. And now this high profile op-ed in the New York Times by a policy official at DHS.

We know they’ve always wanted fewer masters in the Congress than the +/-80 committees and subcommittees that they now deal with. But why the overt shift in attention by DHS to Congress now? What changed?

Chairman Thompson suggests that part of the reason is that while the Republicans controlled the Congress, there wasn’t much appetite by the Administration for challenging them on this issue. Now that the Democrats are in charge – and challenging the Administration – there is a new found motivation for Congressional reform.

The core issue may not be Congress at all here. Heifetz argues that the ability to conduct adequate risk-based homeland security investments and strategies is hampered by the multiple parochial demands of Congress. That may be true with regard to state grants, but there are a lot of other options that are within the Department’s control for making progress.

Chairman Thompson puts it this way:

The primary obstacle to a risk-based homeland security strategy is not the need for a Congressional reorganization. During a hearing my committee held last month, expert witnesses asserted the need for a “chief risk officer” at D.H.S., as well as a new presidential directive committed to carrying out risk-management principles in all homeland security functions.

Unfortunately, this administration has not demonstrated an effective risk-management approach, a failure that inevitably leads to political interference from both sides of the aisle.

We need a risk-based approach to homeland security that allocates our limited resources proportionally to risk. D.H.S. then needs to make periodic assessments to gauge our progress in mitigating those risks. This is not being done because the administration is unwilling to make the tough choices that will make our country safer.

Ever since DHS stood up there has been a battle underway to resist the temptation to fund every countermeasure and combat every conceivable threat. By in large that battle is being lost. However, a piece in yesterday’s New York Times by the deputy assistant secretary for policy development at DHS suggests that the culprit is excessive and disorganized Congressional oversight of the Department of Homeland Security.

Deputy assistant secretary Stephen Heifetz writes that “tangled homeland security laws” obstruct the ability of DHS to prioritize risks. Congressional committees and both political Parties are the source of the Department’s inability to “develop — and put in place — a broad risk assessment methodology.”

He cites the roughly 80 committees and subcommittees that oversee DHS as an unfair disadvantage when compared to the mere four committees that claim jurisdiction over the Department of Defense.

This comes at a cost not just in convenience and efficiency. Heifetz suggests that because Washington began to focus on bad things that might happen to us after 9/11, we identified “a seemingly infinite catalogue of worrisome possibilities” that include:
• nuclear, chemical and biological terrorist attacks delivered by planes, ships, cars or other mechanisms
• conventional explosives on mass transit systems
• gunmen in public places
• cyber attacks on computer and communication networks
• natural hazards like earthquakes and hurricanes

To avoid fighting every scenario, we need to measure what is truly a risk. Heifetz argues that doing so isn’t possible because of “dozens of Congressional committees and subcommittees that watch over the department have their own goals and have refused to give up authority.” He states that when every Congressional committee believes its subject area is priority number one, nothing is a priority. No risk assessment can be successful in this environment.

He is right to resist the “anything’s possible” homeland security approach, but Congressional oversight can be blamed for only part of the problem. Invoking the 9/11 Commission recommendation (which has been offered by countless other organizations for over seven years now) to consolidate the committees of jurisdiction into one seems logical. But this is something only the Congress can do. There are things that DHS can do to improve risk assessment.

Risk is measured in many ways, including the White House strategy documents, budget requests, the Quadrennial Homeland Security Review, products of the DHS Office of Risk Management and Analysis, and responses to Congress, to say nothing of the intelligence reporting taking place at the international, federal, and state levels. I buy it that it must be a headache to lead this Department with so many masters, but the assessment of risks should be able to go on regardless. The hard part is getting people to believe it.

Last week the House Homeland Security Subcommittee on Transportation and Infrastructure Protection convened a public hearing to address the ways in which DHS is focused on assessing and managing risk. The hearing highlighted the risk posed by the chemical facility industry, but also invoked such policy issues as public-private partnerships, governance mechanisms, and expectations of the public.

Two recent publications entered into the record by Chairwoman Jackson-Lee were “Challenges of Applying Risk Management to Terrorism Security Policy,” and the April 2008 report by GAO, entitled “Highlights of a Forum: Strengthening the Use of Risk Management Principles in Homeland Security.”

Robert Jamison, DHS Undersecretary for the National Protection and Programs Directorate, which oversees the Department’s Office of Risk Management and Analysis (RMA), described the vision thing as follows:

Establish and institutionalize an integrated risk management framework. This framework will consist of the doctrine, principles, processes, guidance, and information flows that will enable risk-informed and cost-effective decision making within components and at the DHS headquarters level. A properly executed risk management framework effectively serves as a force multiplier, as it enables better alignment of security priorities and resources to needs.

Conduct strategic, integrated risk analysis. We must be informed, at the strategic level, by an integrated departmental risk assessment. The integrated risk assessment should leverage the various risk analyses being conducted within and outside the Department.

The RMA, which was established under Section 872 of the Homeland Security Act of 2002, manages the Risk Steering Committee that U/S Jamison chairs and that is the principle vehicle for knitting together the component agencies’ efforts to define, manage, and reduce risk in their respective domains.

The RMA also is charged with developing a standard risk lexicon, which I presume has to do with unifying the cacophony of terms used to describe the vagaries of risk across the Department. No easy task. As part of this effort to rationalize the risk paradigm that DHS runs, RMA is developing the Risk Assessment Process for Informed Decision-Making, or “RAPID.” (Hey, they got SAFETY Act and PATRIOT Act to serve as acronyms.) Furthermore, RMA is in the process of developing a strategic regional risk assessment process/tool and a risk communications strategy. Perhaps the latter will evolve the color-coded medium currently in use.

UPDATE: Thanks to reader RK for his email correcting this post. It had previously cited the creation of RMA under a section of the Homeland Security Act of 2002, but implied that RMA was formed around the time of the Act. Rather, the Secretary used a section of the Act to create the Office of Risk Management and Analysis in 2007.

A seven-year extension of the Terrorism Risk Insurance Act, or TRIA is closer to passage in the Congress this week. This will be the result of a compromise between Dems and Repubs, and between the House and the Senate. In general, Dems favor the legislation to enable private insurers to write policies that cover acts of terrorism, which they believe insurers otherwise would not provide out of concern that such a policy would be too risky. Repubs are, in general, unsupportive of extensions for the bill in favor of private sector market solutions that they believe would be less expensive.

The insurance industry paid more than $30 billion in claims as a result of the 9/11 terrorist attacks.  Afterward, commercial terrorism insurance for businesses became expensive and even impossible to obtain. Congress responded by passing TRIA to provide a financial backstop for the insurance industry so that it would continue to underwrite policies. TRIA is set to expire on December 31.

House Financial Services Chairman Barney Frank is leading the House charge to bolster TRIA. The Senate is seeking ways to continue TRIA in more modest ways. The White House supports the Senate’s more conservative version of the TRIA bill.

CQ wrote today that Chairman Frank will accept the Senate’s seven-year extension of TRIA, which is shorter than the 15-year extension he sought. The seven-year TRIA extension would increase the deficit by $3 billion over the next five years and $5.1 billion over the next decade, according to CBO estimates. Chairman Frank said he also would step back from requiring an expansion of the program to cover nuclear, biological, chemical, and radiological attacks. On the other hand, Frank is committed to reducing the $100 million threshold that would trigger government coverage to $50 million.

The last thing we should want to do is to leave America’s economy hanging without viable insurance coverage that can protect it against losses like those we saw in lower Manhattan on 9/11. However, there comes a time when industry will have to step up to identify the market – or create one – for providing the coverage necessary for confidence in today’s risk-laden environment. TRIA was created as a temporary fix to bridge the tenuous time between 9/11 and a more stable economic landscape that would allow the market to operate effectively in this new terrain. However, the question remains: What if the market sets a price so high for this coverage that demand never takes hold? We run the risk of creating an additional vulnerability in the form of a brittle economy that would likely suffer unnecessary cascading effects from a terrorist attack if the insurance coverage is not in place to buffer the financial impact.

Homeland Security Secretary Chertoff delivered a speech before the Institute of European Affairs in Dublin last Thursday and hit the usual high notes of transatlantic cooperation, which continues to strengthen below the radar of our politically charged policy environment on this side of the Pond.

How the Secretary portrayed that progress was with a lingua franca unfamiliar to the State Department diplomats. For example, he cited three principles on which he believes Americans and Europeans agree.

First, nations “must be willing not only to operate within their own borders and ports of entry, but beyond them as well.” He probably doesn’t mean that the way it sounds. Translation: find effective ways to cooperate with other nations to pursue shared interests in countering terrorism that crosses national boundaries.

Second, complete safety is out of reach and “the best alternative is a strategy that is governed by risk management.” While it may seem unremarkable by now, that concept will likely leave observers wondering what exactly the U.S. means by it.

Third, security can only be pursued effectively if in partnership with other nations. Put Chertoff on the National Security Council, please. It’s another unremarkable concept, but one that needs to be stated repeatedly.

So risk is inevitable and we should “manage” it. The closest this country has gotten to defining risk at the strategic level is in the context of debating where to apply federal funds, such as UASI grants.  Unfortunately, for all the work DHS and its component agencies have put toward defining risk over the years – since long before 9/11 – the latest Homeland Security Strategy barely addresses the idea.

The National Strategy gets only so close:

“the [National Preparedness Guidelines] constitutes a capabilities-based preparedness process for making informed decisions about managing homeland risk and prioritizing homeland security investments across disciplines, jurisdictions, regions, and levels of government, helping us to answer how prepared we are, how prepared we need to be, and how we prioritize efforts to close the gap.”

That’s what we should get if we manage risk, but what is the nature of risk in a post 9/11 strategic context? Later in the Strategy is a longer paragraph representing the only other description of risk:

“The assessment and management of risk underlies the full spectrum of our homeland security activities, including decisions about when, where, and how to invest in resources that eliminate, control, or mitigate risks. In the face of multiple and diverse catastrophic possibilities, we accept that risk – a function of threats, vulnerabilities, and consequences – is a permanent condition. We must apply a risk-based framework across all homeland security efforts in order to identify and assess potential hazards (including their downstream effects), determine what levels of relative risk are acceptable, and prioritize and allocate resources among all homeland security partners, both public and private, to prevent, protect against, and respond to and recover from all manner of incidents. A disciplined approach to managing risk will help to achieve overall effectiveness and efficiency in securing the Homeland. In order to develop this discipline, we as a Nation must organize and help mature the profession of risk management by adopting common risk analysis principles and standards, as well as a professional lexicon.”

Over 150 words and it still seems as though we’re talking around the concept without really saying what risk is apart from “a function of threats, vulnerabilities, and consequences.” That’s the same way we described risk on September 10, 2001. What we need is a straight forward explanation of risk in the 21st century. Sure its terrorism, but it is also much more if we consider that terrorist targets include almost anything in the civilian and commercial realm.  Risk is therefore a function of how interconnected today’s world has become.  A danger in this hemisphere ripples around the world depending on numerous factors beyond just threats, vulnerabilities, and consequences.

With little else to go on, our allies overseas listening to Secretary Chertoff last week could be forgiven if they walked away from his speech wondering just what it means to choose “a strategy that is governed by risk management.”

The new IBM white paper we wrote and I blogged about earlier offers the following:
“Risk today is characterized by the rise of the individual as well as the rise of small groups as strategic threats and the speed and unpredictability with which the harmful effects of disruptions in one part of the world can spread to other companies, sectors and countries.”

The National Homeland Security Strategy makes a sound point when in another slight reference to risk, it suggests that “companies that minimize risk will be rewarded by the market.” You might say that this maxim applies to the government, too.

While the National Strategy may have prompted more questions than it answered, there is another opportunity for us to get this knotty issue of risk nailed down so that we can plan against it and make wiser investments in both the public and private sector. Recall that Congress mandated that DHS issue a Quadrennial Homeland Security Review along the lines of the Pentagon’s Quadrennial Defense Review. This repesents a valuable opportunity for DHS to take this head on. No better document – at this point, anyway – than the first QHSR to put forth a workable concept of risk.

Conflicting opinions emerging these days about the state of our homeland security.  Walter Pincus and Joby Warrick noted in their coverage of official statements yesterday that while Secretary Chertoff was explaining to the Senate how the threat of terrorism is as bad as it was six years ago, the President’s Homeland Security and Counterterrorism Advisor, Fran Townsend, struck a different chord in an interview with Wolf Blitzer by calling al Qaeda’s leader an “impotent… man on the run from a cave.”  Where to go from here with a threat assessment like this?

In addition to invoking the need for greater investments in HLS capabilities, intelligence gathering resources, and a general sense of resolve, the recently foiled attacks in Germany came to be useful fodder for assessing the risk today.  The DNI suggested that the plans of those aspiring terrorists in North Rhine-Westphalia were uncovered due to warrantless surveillance of communications traveling through the U.S.  (The Senate Committee pointed out that the German cell was located almost ten months prior to that surveillance law being passed.) 

So what can we learn about the recently disrupted cell in Germany on this sixth anniversary of 9/11?  What materiel was too easy for them to procure in preparation for their plans?  How were they able to coordinate and communicate without notice until the late stages as it were?  Could we see the same trend emerge here in the U.S., and would we be able to detect it early enough?  How well could we manage the aftermath of an attack with 700kg of hydrogen peroxide were we not to stop it beforehand? 

I’ve noted the work of a London-based group here before named Exclusive Analysis.  They are kind enough to send me their proprietary products and I’m, as they say over there, keen on sharing it here on occasion.  They recently assessed the terrorist threat in light of the foiled Germany plot.  The main findings, backed up by proper British prose, are as follows: 

The intercepted plot does not demonstrate an evolution in capability of European jihadi networks. 

Currently the risk of attack is moderated by flaws in leadership within jihadi networks.  

European jihadi networks will likely evolve better organisational leadership in a gradual ’survival of the fittest’ fashion; attack targets are likely to be chosen in order to maximise human fatalities. 

According to this, we’re lucky that the terrorists are unlucky — or at least unsophisticated.  Both of these mitigating factors are due to change, and so is the venue.  This places the “fight’em over there so we don’t have to fight’em here” mantra into a different perspective.  Note how rarerly this rationale is invoked on this anniversary of 9/11.

Yesterday included a post here highlighting a number of critical questions posed by the GAO in a wide ranging study of national challenges that will take about 100 years to address.  Among them was a set of questions dealing with homeland security that I believe would be excellent fodder for a presidential debate leading up to 2008.  The Center for American Progress decided not to wait for the politicians.  They ran their third annual Terrorism Survey of policy wonks earlier this summer and released the findings yesterday. 

By querying 108 experts (representing a weighted breakdown of an equal number of conservatives and liberals, as well as a bulk identifying themselves as moderate), CAP – in partnership with Foreign Policy – gives us a stark assessment of where we stand in terms of combating terrorism and generally keeping America safe from deadly adversaries.  The survey asks 30 direct questions (and a number of questions about the participants themselves).  The results are insightful and the authors provide their own analysis here. 

A few specific questions are worth noting: 

The single greatest threat as “Nuclear materials/weapons” shows the only perfectly even breakdown that I could find so far.  28 Conservatives and 28 Liberals considered this the singled greatest threat.  Its unclear if they meant nuc weapons generally or in the possession of someone or some country in particular.  Perhaps another line in this answer set sheds light on this: Iran ranks as dangerously as climate change according to the weighted totals. 

No one strongly believes that we are winning a war on terror.  Judging by the totals, this one isn’t even remotely close.  The survey’s methodology shows the cross-section of participants.  This is a group representing an even spread across the political spectrum.

The following is the fifth question with only the top two options listed.  They are the most surprising of the answers: 

Not a single conservative chose a stable and secure Iraq as the most important U.S. policy objective.  But 26 liberals did.  At least the so-called “hearts and minds” issue remains in the top slot.  Just how we pursue that objective would take another survey entirely.

The eighth question in the survey gets down to judging the institutions responsible for improving the picture:

Below are departments and agencies involved in protecting the American people from global terrorist networks and in advancing U.S. national security goals. Thinking about the period from 9/11 to the present day and recognizing that different offices within U.S. government agencies/ departments perform at different levels, please rate each agency /department overall on a scale of 0 to 10.

 Survey says:

No HSC?  The Department of Homeland Security is ranked slightly below average across the board.  It is helpful that the surveyors included the National Security Council, which fared worse than any of the other eight agencies on the list.  But no mention of the White House Homeland Security Council?  Perhaps that’s a worse fate. 

The following question helps to convey the political balance that the Center for American Progress and Foreign Policy strove for.  The former is not known for doing this, but its not their role anyway.  This topic, however, is too important to represent only half of the political spectrum. 

According to this response, the breakdown between conservative and liberal gradients is almost perfectly equal.

General Eisenhower is often quoted for having said that, “In preparing for battle I have always found that plans are useless, but planning is indispensable.” In a way, that’s the underlying motto to the Defense Department’s Quadrennial Defense Review, which was mandated by Congress in the Military Force Structure Review Act of 1996. The new 9/11 Bill establishes a similar process for DHS called the “Quadrennial Homeland Security Review.”

The QDR is a “comprehensive examination of the national defense strategy, force structure, force modernization plans, infrastructure, budget plan, and other elements of the defense program and policies of the Unites States,” according to the 1996 Act. That boils down to a four-year strategic assessment of the current threats facing the U.S. and its interests, a top-level strategy for how the Defense Department will address those threats, and a preliminary justification for near- and long-term investments. DOD has a way of connecting that document with other planning mechanisms, including the National Security Strategy, National Defense Strategy, National Military Strategy, Unified Command Plan, Strategic Planning Guidance, Transformation Planning Guidance, and Joint Operational Concepts, to name a few. Imagine if the Department of Homeland Security generated or linked strategies like this. It might lead to what the Defense Department would call an overarching framework, something that is difficult to pin down in the HLS domain.

Section 1606 of HR1 establishes the Quadrennial Homeland Security Review. The main purpose according to the legislation is to conduct:

“a comprehensive examination of interagency cooperation, preparedness of Federal response assets, infrastructure, budget plan, and other elements of the homeland security program and policies of the United States with a view toward determining and expressing the homeland security strategy of the United States and establishing a homeland security program for the 20 years following that examination.”

That reads a lot like the Military Force Structure Review Act. It also reflects the insightful analysis offered by a veteran of four QDR’s, former Deputy Assistant Secretary of Defense The Quadrennial Defense Review: A Model for the Quadrennial Homeland Security Review.”

Now the President and Co-Founder of the Center for a New American Security, Michele Flournoy suggests a list of commonalities between DHS and DOD that might allow the former to benefit greatly from a so-called QHSR. She says that both Departments are:

• charged with missions that are vital to the health and welfare of the nation “ protecting the American people and our way of life is a mission in which we cannot fail;

• facing persistent and resourceful enemies;

• large, complex bureaucracies comprised of a number of diverse and (in some cases, previously independent) organizations with their own cultures, traditions, and ways of doing business;

• responsible for spending billions of taxpayer dollars as efficiently and effectively as possible;

• perennially in the position of having more programs to pay for than budget; and

• trying to balance near-term demands against long-term investments.

Hard to argue with that. The authors of the QHSR will be challenged by a constant pressure to seek reform through reorganization. This is misplaced energy in large part. The focus for a QHSR should certainly seek to address the bullets above, but also the important questions of how we clearly define the threat posed by terrorism, as well as natural disasters in the context of securing the homeland; how do we define the capabilities necessary in such a way that we can craft an actionable investment strategy; how do we plan to spread this responsibility more effectively across the Executive Branch agencies; and what is the strategy for engaging allies in the process of defining the threat and our shared interests in defeating it?

The language in the Bill ends by stating that “the Secretary [of Homeland Security] shall provide to Congress and make publicly available on the Internet a detailed resource plan specifying the estimated budget and number of staff members that will be required for preparation of the initial quadrennial homeland security review.” According to the Bill, the first QHSR would commence in 2008, just when the next QDR process begins.

Update 7/25: Turns out the people who worked up the International Supply Chain Security Strategy considered how that plan relates to other existing ones in a way similar to how DOD does so with the QDR as I mentioned above. This is from the new supply chain strategy document:

I couldn’t resist.  While the press and the public try to divine what Secretary Chertoff might have meant when he described a “gut feeling” that indicated a heightened threat to the U.S., but not one that registered on the color scale, most responded with more questions.  No surprise there.  We have trouble nowadays really defining what the threat is to the U.S. Is it a terrorist or a tornado?  Nuclear weapons or naturalized immigrants? 

Its all under the purview of DHS to some extent, and that’s probably why the Secretary of Homeland Security has that feeling: It is hard to rule anything out when the threat is so difficult to define.  As I’m often inclined to do, I looked overseas for some guidance on how to define the threat posed by terrorism in a general sense.  It seems the UK is always said to have recent experience in terrorism plots and attacks, and their stiff upper lip often lends itself to a level of candor uncommon on this side of the Pond.  Here is what MI5’s Joint Terrorism Analysis Centre explains might be behind that feeling: 

The US, UK and Israel, and their representatives overseas, remain the prime targets for international terrorist networks, particularly Al Qaida. However, Usama bin Laden has variously identified a number of other countries as allies of the US which should also be targeted. 

[snip] 

Countries that are participating in the reconstruction efforts in Iraq have also been identified as targets.  On 18 April 2005, a statement claiming to be from Abu Musab Al Zarqawi’s terrorist network in Iraq, linked to Al Qaida, appeared on several websites, threatening attacks against British forces in Iraq and “all the agents, spies offering them protection and their human shields”. …  While some countries’ interests may be singled out, however, attacks on generic “Western” interests, irrespective of the specific nationalities of the likely victims, are seen as equally valid. 

Locations

Official personnel and property, such as diplomatic missions and military forces, are still seen as priority targets for attack, as shown by the attacks on the British Consulate in Istanbul in November 2003, the Australian Embassy in Jakarta in September 2004 and the US Consulate in Jeddah in December 2004. 

However, terrorist cells are increasingly looking at less well-protected “soft” targets where Westerners can be found, such as social and retail venues, tourist sites and transport networks (rail, road and airports), as illustrated by the attacks in Bali in October 2002, Madrid in March 2004 and Egypt in July 2005.

I have to give Eileen Sullivan of CQ Homeland Security credit for the title here.  It was her article on this subject that first invoked the song by Boston. 

Not a lot of detail in the public statement today from the Secratary about the foiled bombing in central London last night.  You can view the statement at the bottom of this post.  Following is a summary and analysis from London-based Exclusive Analysis.  They gave me permission to share this proprietary document here on HLSWatch.com.  It beats any newspaper update at this point and I’m grateful to them for allowing our readers to get this kind of detail.

At approximately 2am GMT, officers defused a bomb on The Haymarket in the Piccadilly Circus area of central London. Police responded to reports of a Mercedes driving erratically; the driver was reported to have crashed the car near Tiger Tiger nightclub before fleeing the scene. The device found in the car is so far reported to have utilised gas canisters, petrol and nails.

Analysis and Forecasts

The level of sophistication of the device has yet to be determined; evidence revealed in the investigation will be a key indicator of the level of capability of the bomber.

Police reports so far suggest that the vehicle contained canisters of gas and petrol and that there were nails found in the car. The intended method of initiation of the device is as yet unverified. For instance, whether explosives were to be used to initiate the device with a timer, or whether the petrol was to be set on fire to trigger the gas canisters to explode, will be an important indication of the potential scale of damage. An ambulance that arrived on the scene early reported that the car was full of smoke. The presence of smoke means that it is possible that the device was scheduled to detonate on a timer and that it had gone off early or malfunctioned. Indeed, it may have been the smoke that caused the driver to begin driving erratically and flee the scene.

Though a densely populated nightclub in central London would certainly be a prime target, this also suggests that the car might not have been left at its intended destination (i.e. that the would-be bomber stopped the car and fled prematurely). The nails do suggest that civilian casualties were a goal; exploding canisters would also produce shrapnel. Gas cylinders have been used frequently by terrorist groups, particularly the IRA within the
UK in the past and FARC in Colombia more recently, because they are simple to use and easy to obtain. However, the blast area would not be of the same radius as a large fertiliser bomb.

Both the method and the target of this incident suggest that home-grown terrorists are learning from and influenced by one another.

Our analysis suggests that home-grown European networks are making contact with one another for the purpose of learning from one another and coordinating attacks. Moreover, would-be attackers learn from remotely observing the plots and mistakes of others. For instance, Dhiron Barot, who was imprisoned in the UK in November 2006 for plotting attacks, planned to detonate limousines wired with gas canisters outside the London Stock Exchange. The members of the group arrested for a “fertiliser bomb” plot in 2004 had discussed targeting nightclubs, and nightclubs also feature as a target on extremist websites. Increased collaboration will at first expose individuals to detection, but over time learning will occur, and through social connections knowledge will be passed on, increasing capability over the one- to two-year period.

In this case, the police have stated that there was no specific intelligence about an upcoming attack and that this was a reactive operation, not intelligence-led, showing that the bomber had at least managed to evade surveillance. It is possible that the individual(s) involved were known to intelligence services, but that they, like the 7/7 bombers, had not been prioritised for surveillance out of the large volume of information and leads the security services are grappling with (information overload has become a problem following the expanded definition of ‘terrorism’ under the Terrorism Act 2006).

The target set for UK attacks is likely to focus on large capacity venues in order to maximise casualties and media attention.

Though it is not yet confirmed that any of the bars or clubs in the area of the incident were specific targets, such a target set is certainly consistent with past plots and threats. Sunni extremist groups wanting to carry out terrorist attacks in the UK are likely to choose targets that will maximise casualties. Whilst economic disruption is a desirable side effect of an attack, killing large numbers of people is likely to be the priority. The death toll of an attack, as well as being a gauge of how successful it has been, would also be viewed as justified revenge for those Muslims killed in the War on Terror. Evidence given during the trial of the 21/7 suspected bombers claimed that several of the bombers had repeatedly talked about wanting to pay back the UK for the deaths caused by the wars in Iraq and Afghanistan.

Venues that represent perceived ‘ills’ of Western society, such as bars, clubs and concerts are also likely to be appealing to extremist groups. The ‘fertiliser plot’ bombers, who had talked about targeting the Ministry of Sound nightclub, were recorded saying that none of the casualties in an attack on a London nightclub would be ‘innocent’ as they would all be ’slags’. Although it is clear that terrorists in the UK are prepared to carry out suicide bombings, it is not necessarily the only tactic that terrorists would use. Venues that have large capacities, such as transportation hubs, airport check-ins, nightclubs and bars, or those with both large capacities and that are accessible by car (e.g. city-based skyscrapers or Canary Wharf) will all be at heightened risk.

 And now the press release: 

From: DHS Employee Communications
Sent: Friday, June 29, 2007 10:46 AM
To: ^DHS-HQ-ALL-QB
Subject: STATEMENT BY SECRETARY CHERTOFF: LONDON INCIDENT

STATEMENT BY SECRETARY CHERTOFF ON LONDON INCIDENT

We have been in close contact with our counterparts in the U.K. regarding the suspected explosive device discovered in a vehicle in the London Haymarket area.  Our law enforcement and intelligence officials are closely monitoring the ongoing investigation.

At this point, I have seen no specific, credible information suggesting that this incident is connected to a threat to the homeland.  We have no plans at this time to change the U.S. threat level.  DHS and the FBI have been in touch with our state and local homeland security and law enforcement partners to convey available information.

We encourage the public to enjoy the upcoming holiday but ask, as always, that they be vigilant and report any suspicious activities to authorities.

The University of Maryland’s National Consortium for the Study of Terrorism and Responses to Terrorism (START) made its terrorism attack database publicly available.  It provides a unique service for understanding the big picture, but other uses may include adding depth to the challenge of understanding risk in the context of terrorism threats. With content covering about 80,000 incidents between 1970 and 2004 (details on the period through 2007 forthcoming), it provides one of the few data sources for risk analysis of this scope and detail.  Intentional attacks disallow a conventional approach to gauging risk because data points (incidents) are the result of adaptive causes (perpetrators). 

Because factors other than frequency and severity should inform assessments of terrorism risk, it is noteworthy that the START database includes 45 factors (~140 in the next version) that can be used to determine antecedent markers, common vulnerabilities, and other trends of that emerge from a deep look at past cases. The Congressional Research Service waded into the subject of risk as outlined in this post.

Other helpful resources for understanding trends and historical data in terrorism include an excellent visual representation by Claire Rubin and William Cumming found here.  Their terrorism timeline provides a useful and evolving snapshot of terrorism and other “major incidents” since the 1993 attack on the World Trade Center. The juxtaposition of these events with corresponding or concidental policy outcomes that include federal policies, exercises, plans, and statute is of particular value.

While trend setting is one way of judging risk, another is just plain insight and anticipation of likely events, outcomes, and relevant impact based on good information.  Exclusive Analysis, a London-based firm with staff scattered around the globe, produces what might be among the best ongoing risk analysis out there serving everything from governments to private sector clients of a range of sizes.  They publish a subscription-only “Intelligence Bulletin” focused on regions and/or industry sectors.  Its a pithy yet detailed distillation that publishes daily.  The value here is a targeted concept of risk (i.e. inclusive, but not anything and everything) that nevertheless rules in just about every factor from local changes in laws pertaining to chemical stewardship or privacy practices to consequential government deliberations about planned interventions and interests overseas.  Worth looking into at this site.

This month the Congressional Research Service issued a new report on the concept of “risk” in Homeland Security.  The importance of assessing, mitigating, and otherwise calculating risk in the effort to protect the homeland is easy to appreciate.  But claw back the terminology and talking points, and it becomes less clear just how risk can be assessed – much less calculated – when it comes to the evolving threats of terrorism.  Terrorism offers neither the trend lines nor the depth of historical data (thank goodness) needed to design a reliable methodology that risk assessment demands in other cases, such as hurricanes or car accidents.   

Does that mean it’s a useless tool?  Secretary Chertoff brought a welcomed new rationale to homeland security investments when he was nominated by suggesting that politics needn’t drive the way we protect vulnerable components of the country.  He argued that HLS leadership should “base its work on priorities driven by risk.”  Eventually adopting a phrase coined by the HSAC WME Task Force, he began suggesting that DHS efforts should “buy down the risk:”  Investments, in other words, should be targeted in ways that bring about the greatest possible return by gauging the likelihood and potential severity of terrorist threats to the homeland.  According to CRS, that’s easier said than done.  While this may have occurred to many of us during the years since Secretary Chertoff first committed the Department to this rationale, few have been able to bring this kind of clarity to the real challenges of applying risk to protecting against (or actively combating) terrorism.

While this new study draws attention to the important issue of how to apply the nearly $12 billion spent under the federal Homeland Security Grant Program, its worth considering how risk assessments may be used (or eventually required) for determining other HLS investments.  For example, look for renewed attention by Congress on WMD-related initiatives.  Long-lead items such as research and development for better defenses against bio- or nuclear terrorism involve significant uncertainty because scientific research may lead to dead-ends before arriving at a new solution.  It will be important for Congress to consider how risk assessments could determine if WMD attacks are deemed sufficiently likely to warrant the level of commitment called for in some of these areas (see post from 2/6/07).  I’ll dedicate another post soon to this important question.  In the meantime, the CRS study is entitled “The Department of Homeland Security’s Risk Assessment Methodology: Evolution, Issues, and Options for Congress,” and can be found here. 

DHS Asst. Secretary for Policy Stewart Baker spoke at a forum at CSIS yesterday, and defended the recently-criticized Automated Targeting System, as noted in this GCN story and this Reuters piece:

The U.S. Automated Targeting System, or ATS, a computerized program that collects personal data on travelers and retains it for up to 40 years, has come under fire in recent weeks from rights activists who say it violates privacy laws and a congressional-funding ban.

But Stewart Baker, assistant secretary of the Department of Homeland Security, said the system’s critics are either “paranoid” or don’t understand that ATS assigns risk ratings only to cargo.

“We have risk scores for cargo,” Baker told a forum hosted by the Center for Strategic & International Studies.

“I don’t think that we’re scoring human beings, and we’re certainly not keeping score on them,” he said. “We do an assessment of people when we look at the data. But that could vary from flight to flight, day to day.”

I’ve maintained since this story started to break in early November that the concerns about this program have been overstated by its recent critics, and I’m glad to see DHS finally pushing back and defending the program. There needs to be more clarity about how ATS-P works and how information is saved and stored within it, but it clearly has a valid role within the broader border and traveler entry system, and is worthy of a vigorous defense.

Update (12/21): Here are Baker’s remarks from the CSIS event.

Update (12/29): The full transcript from the CSIS event is available here.

Last month Ohio State University professor John Mueller published the book “Overblown: How Politicians and the Terrorism Industry Inflate National Security Threats, and Why We Believe Them.” The book expands upon his article in Foreign Affairs earlier this fall entitled “Is There Still a Terrorist Threat?” (which I reviewed in this post). Mueller has taken these arguments on the road recently, with an appearance on The Daily Show (Part 1, Part 2) in October and a policy event at the Cato Institute earlier this week.

The book makes three main arguments: (a) the terrorist threat is overstated today, (b) we’re exacerbating the threat by believing that it’s serious, and (c) there is now a “terrorism industry” that has a vested interest in maintaining public alarm.

These are all topics that are worthy of debate. You can read my earlier critique of (a) in this post on his Foreign Affairs piece. I partially agree partially with (b); it is imperative that our leaders avoid fearmongering, and that we take steps to make our society more resilient to avoid adverse secondary effects from disruption. And I think (c) uses a cheap epithet to make a blanket ad hominem criticism of anyone who believes that the terrorist threat is serious and consequential.

But unfortunately, Mueller undermines the basis for this debate by using false and misleading examples and statistics in numerous places in the book. For starters, take the opening paragraphs of his Introduction:

Upon discovering that Weeki Wachee Springs, his Florida roadside water park, had been included on the Department of Homeland Security’s list of over 80,000 potential terrorist targets, its marketing and promotion manager, John Athanason, turned reflective. “I can’t imagine bin Laden trying to blow up the mermaids,” he mused, “but with terrorists, who knows what they’re thinking. I don’t want to think like a terrorist, but what if the terrorists try to poison the water at Weeki Wachee Springs?”

Whatever his imaginings, however, he went on to report that his enterprise had quickly and creatively risen to the occasion - or seized the opportunity. They were working to get a chunk of the counterterrorism funds allocated to the region by the well-endowed, anxiety-provoking, ever-watchful Department of Homeland Security.

Which is the greater threat: terrorism, or our reaction against it? The Weeki Wachee experience illustrates the problem.

This sounds terrible, right? Another example of people being opportunistic and unjustly trying to grab that homeland security cash?

Not really. Unlike John Mueller, I wrote earlier this week to John Athanason, the manager of Weeki Wachee who is quoted in the passage above. This was the first that he had heard about his inclusion in this book. Athanason quickly wrote back to me and clarified the story (emphasis his):

You don’t see anywhere in the press about the park getting money for the “terrorism threat”, because the attraction was never intended to get any money.

In the state of Florida, each and every county had one request given to them by Homeland Security. Within your county, where would the most likely target occur in the event of a terrorist attack? Within Hernando County, our attraction was listed by our local authorities because we have a venue that attracts a large number of people at any given time. We did not pursue any money, nor did we ever apply for any money. All communication went directly to the local authorities to see what supplies they would need to assist them in any crisis, if one were to happen. We have never received any amount of money from Homeland Security.

The reality is the exact opposite of what Mueller reports in his book. The actions of Athanason and the Florida officials were appropriate across the board. I’m surprised that Mueller or someone from Simon & Schuster didn’t double-check this story, especially given the fact that it kicks off the book, and is mentioned repeatedly later in the book and in his remarks as the paragon of homeland security waste. This is just plain shoddy.

And so it goes throughout the book and in his public remarks. For example:

• The end of my earlier blog post mentions one such statistical miscalculation, in his comparison of bathtub deaths to deaths by acts of terrorism.
• He miscalculates aviation security spending on page 31 of the book, suggesting that TSA spends $4 billion on airline passenger screening, another $4.7 billion on “zapping checked baggage”, and another half-billion on air marshals. That adds up to $9.2 billion, but the actual entire TSA budget in FY2007 is $6.4 billion - he’s clearly double-counting somehow.
• In his remarks at Cato on Wednesday, he noted that federal law enforcement prosecutions have suffered because of attention to terrorism - a statement that this chart seems to contradict.
• He suggested in those same remarks that zero people have been killed by acts of terrorism within the United States since 9/11 - an untrue statement, and one that is disrespectful to the families of the victims of the anthrax attacks.
• Also in those remarks, he dismissed the relevance of the UK aviation plot to the U.S. aviation system because it was “on a different continent.” Does he not realize that the plotters were intending to fly to the United States? And that our aviation system is inherently global in scope?

I could go on, but you get the point. This book is wrong in its key points and misleading in its details. It paints a falsely benign picture of the terrorism threat - a viewpoint which could lull us into a dangerous sense of complacency were it to be increasingly accepted. We need to overcome our fears, live resolutely, and build a culture of preparedness and resilience into our societies, but we should not for a minute become complacent about the real and persistent threats that we face.

The operations research journal Interfaces is publishing an entire issue of homeland security-related articles this month, and highlighted one of the articles in it in a press release in mid-November. That article, entitled “How Effective is Security Screening of Airline Passengers?” attempts to answer a question that has long bedeviled TSA and other aviation screening agencies: what is more effective, risk-based screening or random screening?

The authors, Susan Martonosi at Harvey Mudd and Arnold Barnett at MIT, build a model that includes variables for primary screening effectiveness, secondary screening effectiveness, % of passengers elected for random screening, the effectiveness of the prescreening system, and the terrorists’ deterrence threshold. They test the model several times using different assumptions for these variables, and get results for a range of scenarios that suggest that neither risk-based secondary screening nor random secondary screening is inherently better than the other:

As this simple mathematical model suggests, neither side has made a persuasive case about the effectiveness of airport passenger-profiling systems. Supporters of such systems have focused mostly on the ability of the algorithm to identify terrorists (C), an ability they may well overestimate. They say little about screening effectiveness of both low-risk passengers and selectees (p1) and (p2), yet these effectiveness parameters are crucial to the overall success rate of the system. Skeptics may have given insufficient weight to deterrence (Ï„), because of which, the selection and screening system might prevent attacks even though it falls well short of perfect. Probing the system, as we have seen, could sometimes prevent a terrorist act rather than ensure its success.

They conclude the article by suggesting that improving the baseline screening for all passengers might be a better investment than improving prescreening or secondary screening. Overall, a good article, and a useful exercise in trying to analyze an issue too often guided by intuition or emotion. You can see the descriptions of some of the other articles in this issue of Interfaces at this link.

The controversy over the passenger component of the Automated Targeting System has simmered over the past month (see my previous posts here and here) in the media and the blogosphere, with the latest feud centering around whether a provision in the FY 2007 appropriations acts prohibits the risk assessment function of the ATS-P. Privacy and civil liberties groups have argued in the past week that it does. DHS has started to fight back against these charges in the media, as exemplified by Sec. Chertoff’s quotes in this National Journal piece by Shane Harris.

You can read the full provision in question, Sec. 514, on pages 25-26 of the FY 2007 DHS appropriations bill (H.R. 5441) at this link. My take on this question is that ATS-P does not violate Sec. 514, which specifically references the domestic Secure Flight program and “any successor programs.” ATS-P is a program that preceded Secure Flight. And all of the references to GAO requirements in Sec. 514 confirm that this was solely written with Secure Flight in mind.

There is one other important difference between the two programs that is also worth pointing out: the domains in which the two programs are used. ATS-P is for inbound international arrivals. Secure Flight, if it were to become operational, would be for domestic air travel. The security imperatives and the personal rights of individuals are inherently different in these two domains. In the domestic realm (Secure Flight), travelers are presumed to be legally in the United States, and the sole purpose of risk assessment is related to risks associated with the air travel. In the international realm (ATS-P), identity is not assumed but needs to be proven, and the government has a legitimate role in determining the identity and nationality of individuals entering the United States as a legitimate assertion of national sovereignty. At borders and points-of-entry, the government has greater authority to conduct search and inspection activities than at any place inside of the country’s borders. This same inherent authority is what, I think, should give the ATS-P system a greater authority to conduct security-related risk analysis than any domestic risk assessment system.

There are some legitimate concerns that the privacy and civil liberties groups have brought forward in the course of this debate, e.g. questioning the rationale for retaining records for 40 years. But overall, I find myself sticking to my original impression of this issue when I first posted about it in early November, and wondering what all the fuss is about.

The AP has a story tonight that follows up on a Washington Post story from a couple of weeks ago and looks at the Automated Targeting System-Passenger (ATS-P) at DHS which is used to assess travelers entering the country. Since the initial Post story, DHS has released a Privacy Impact Assessment for the program and the Electronic Freedom Foundation (EFF) has sent comments to DHS questioning the system. DHS is arguing that this is not a new risk assessment system, but instead a well-established one, an assertion with which I agree; indeed, as I showed in my previous post on this, there are references to the ATS-P in the public record as far back as 2004.

But what about its actual function? David Sobel from EFF asserts in a CQ piece today (subscription req’d) that he wasn’t aware that ATS had a passenger risk assessment function until this recent notice:

But EFF contends that “prior to the Department’s publication of its Federal Register notice on Nov. 2, there had been no public disclosure of the fact that the ATS was being used to assign levels of suspicion or potential risk to individuals — all public discussion of the system indicated that it was used to screen cargo.”

A DHS inspector general’s report from August that surveyed the department’s programs using data-mining technology described ATS as a cargo screening system, said EFF senior counsel David Sobel. When he read the IG’s report, “I was basically looking for programs that raised privacy issues . . . and I wasn’t concerned about [ATS]” because it concerned cargo, he said.

But the notice now raises “substantial privacy issues,” Sobel said, adding that the department is making it “sound like this is not a significant change.” DHS claims that the Automated Targeting System is associated with the TECS, but Sobel said a previous Federal Register notice about the Treasury Department’s program mentions nothing about ATS.

However, a quick Internet search shows that there are prior public references to the Automated Targeting System having a role in terms of the risk assessment of passengers inbound to the United States. For example, there’s this passage in a June 2006 report by Canada’s privacy commissioner on the Canadian Border Services Agency (emphasis added):

More specifically, the HRTI tool facilitates the sharing of API data from the CBSA’s Passenger Information System (PAXIS) and the U.S. Automated Targeting System-Passenger (ATS-P) system over a secure IT link. We were informed that the sharing of PNR data under the HRTI initiative will not begin prior to June 2006.

….The back-end analysis component involves running risk patterns, jointly established by the CBSA and the U.S. CBP, based on known indicators, trends and analysis, against a traveller’s API/PNR in order to establish a risk score for the traveller. The risk patterns are comprised of various PNR elements, however the scores and risk levels attributed to them vary in accordance to the pattern they are assigned to. The risk score total is used to assess whether a traveller meets an established risk threshold of a particular risk pattern, which would theoretically identify the traveller as an individual who may require closer scrutiny or who is of high or unknown risk.

As I stated in my original post on this, I think this is an overblown story in some respects. There should be a dialogue on the efficacy of this system and its privacy protections, but I don’t think it’s correct for privacy groups and the media to acted shock about the existence and function of the ATS-P.

It’s about time. From remarks by Sec. Chertoff yesterday, quoted in the New York Post:

We’ve come to the conclusion that perhaps there was a little too much bean counting and a little less standing back and applying common sense to look at the total picture,” Chertoff told a grant-writing conference.

“And I’ve heard the complaints about it, looking like we’re playing kind of a pop-quiz type of game with local communities,” he said.

“They have to try to guess what we’re looking for - and if they guess wrong, they don’t get the money that they think they’re entitled to, and that they may be entitled to.”

Back when the decisions were announced, I described the analysis that led to this decision as “garbage in, garbage out”, criticizing it for relying too much on illusory statistical certainty and not enough on a gut-check about threats. And when Sec. Chertoff tried to defend the decision in a New York Times op-ed, I wrote:

I think [Chertoff] needs to get out of PR mode and acknowledge that this decision did not live up to his own high standards for risk management, discuss the unique nature of NYC and DC in the nation’s risk profile, and listen to constructive criticism about how to improve the allocation process.

I’m glad to see that he’s come around to acknowledging this reality. Hopefully we’ll see a more robust grant process in FY 2007, one that doesn’t get falsely seduced by a 3.2 billion calculation spreadsheet, but instead uses this analysis as a support tool for informed grant decisions.

The latest issue of the Journal of Commerce has an interesting article that profiles a new risk assessment tool used by the Coast Guard to assess maritime security-related threats. From the article (available by subscription only):

No one will dispute that the government lexicon is jargon-happy, and the Coast Guard has coined some doozies. One of the newest acronyms is the Maritime Security Risk Assessment Model, or MSRAM, which is rapidly becoming one of the agency’s premier risk-management tools.

The Coast Guard launched MSRAM last spring, and by the end of summer, the whole national inventory of freight and cargo terminals, bridges, tunnels and other port infrastructure had been given new, improved risk scores. When the Department of Homeland Security handed out $168 million in port security funds in September, the MSRAM score counted for 25 percent of an applicant’s total score. Future grant rounds are as likely to depend on MSRAM results.

Officials said that the MSRAM will make risk assessment more consistent among ports. It replaces the Port Security Risk Assessment Tool, or PSRAT, which that was introduced after the Sept. 11, 2001, terrorist attacks.

….MSRAM is a computer program that is based on the Coast Guard’s triangle of risk management: threat — vulnerability — consequence. For each port facility or “asset,” the program walks the user through the process of identifying threats to the asset, its vulnerability to attack and the consequences of an attack. With that information, MSRAM computes a numerical score that represents the risk posed by a terrorist attack on that particular asset. The numerical scores are classified. On the one hand, assessing threat requires the use of national intelligence. On the other hand, the Coast Guard doesn’t want to say which facilities are vulnerable.

This seems to be unambiguously an improvement on earlier risk assessment methodologies, and is a positive sign that DHS, despite occasional setbacks, is gradually getting better at the difficult task of risk assessment.

To find out more about the MSRAM, there’s a scattering of information on the internet about it. Perhaps the most useful explanation of it is found in this Naval Postgraduate School master’s thesis by a Coast Guard officer on vulnerability assessment of maritime infrastructure, a document that includes this chart that summarizes the methodology:

For additional info, see the chapter entitled “Safely Securing U.S. Ports” in this issue of the Coast Guard’s Proceedings magazine and this GAO report from earlier in 2006 which mentions it several times.

On Thursday morning, DHS published a Privacy Act system-of-records notification in the Federal Register about the Automated Targeting System (ATS), specifically its person-centric component used to screen for entry into the United States, known as ATS-P.

I saw the notice on Thursday morning, and didn’t find it especially newsworthy, given the fact that there was an extensive prior history about ATS-P in the public record; for example, see this CBP annual report (see page 29), this congressional testimony by former DHS official Asa Hutchison from 2004, and the DHS budget-in-brief for FY 2006.

But evidently the Washington Post thought differently, writing about it in today’s edition:

The federal government disclosed details yesterday of a border-security program to screen all people who enter and leave the United States, create a terrorism risk profile of each individual and retain that information for up to 40 years.

The details, released in a notice published yesterday in the Federal Register, open a new window on the government’s broad and often controversial data-collection effort directed at American and foreign travelers, which was implemented after the Sept. 11, 2001, attacks.

While long known to scrutinize air travelers, the Department of Homeland Security is seeking to apply new technology to perform similar checks on people who enter or leave the country “by automobile or on foot,” the notice said.

The department intends to use a program called the Automated Targeting System, originally designed to screen shipping cargo, to store and analyze the data.

Reading the Federal Register notice again, it’s unclear to me whether the third paragraph of the story is a correct interpretation of the notice. The notice indicates that risk assessments are based on a number of sources, including “existing information” about “persons crossing the United States land border by automobile or on foot.” I read that as saying that DHS using land border crossing data as an input to risk assessment for international entry by air, not conducting that same type of risk assessment at land borders. Hopefully DHS will clarify this point so that there’s a firm understanding of the roles and scope of the system.

RAND released a report on Monday entitled “Maritime Terrorism: Risk and Liability” which provides a comprehensive qualitative risk assessment of terror threats in the maritime domain (including container shipping, cruise lines, and passenger ferries) and discusses issues related to civil liability in maritime terrorism. The press release for the report highlights some of its key conclusions:

Cruise ships and ferry boats need more protection against terrorist attacks that could kill and injure many passengers and cause serious financial losses, according to a new RAND Corporation report.

“Attacks on cruise ships and ferry boats would meet the interrelated requirements of visibility, destruction and disruption that drive transnational terrorism in the contemporary era,” said Peter Chalk, one of the report’s co-authors. “Recognizing this is essential to any comprehensive regime of maritime security.”

The report concludes it is not adequate to base maritime counterterrorism efforts only on increasing port security and the security of cargo container ships, rail cars and trucks that transport goods into and out of United States ports.

“Focusing solely on securing the container supply chain without defending other parts of the maritime environment is like bolting down the front door of a house and leaving the back door wide open,” said Henry Willis, a RAND researcher and a co-author of the report.

The study by RAND, a nonprofit research organization, also says a maritime terrorist attack is likely to create complicated liability issues that will slow efforts to compensate victims of an attack.

“We need to examine closely the challenges that a maritime attack would create for our civil justice system,” said Michael Greenberg, another of the report’s authors. “Tort liability is supposed to compensate victims while providing appropriate security incentives for firms. But ambiguous liability standards in the maritime terrorism context raise the prospect that the civil justice system may neither be effective as a compensation mechanism, nor in generating clear incentives for the private sector.”

Overall, it’s a useful and relevant study, in particular the threat assessment in Chapter Two. You can download the full report at this link.

The Heritage Foundation published a piece today, co-authored by Heritage’s Jim Carafano and Jamie Metzl from the Partnership for a Secure America, on Congress’s inaction in making the homeland security grant system risk-based. The article provides a good history of this debate, and offers two recommendations for Congress:

Require the Department of Homeland Security to conduct a Quadrennial Homeland Security Review, just as the Department of Defense is required to conduct its Quadrennial Defense Review, and

Reform homeland security grants by eliminat­ing the minimum-grant formula to allow for pure risk-based funding.

And two recommendations for DHS:

Continue to update the formula for homeland security grant allocation to reflect risk, threat, and vulnerability, and

Create regional offices to coordinate disaster preparedness and response, as mandated by HSPD-8 and the Homeland Security Act of 2002.

Overall, a solid piece on this important issue.

The new issue of Foreign Affairs arrived in the mail over the weekend. It contains an article by John Mueller, a professor at Ohio State University, with the unfortunately-timed title of “Is There Still a Terrorist Threat? The Myth of the Omnipresent Enemy.” In the piece, Mueller attempts to argue that there essentially is no meaningful terrorist threat from al-Qaeda to the United States anymore, an argument that seems highly dubious in light of the recently-revealed UK aviation plot. To be fair, that plot was uncovered after the publication deadline. But that doesn’t excuse the significant logical flaws in Mueller’s arguments.

At the beginning of the essay, Mueller writes:

But if it is so easy to pull off an attack and if terrorists are so demonically competent, why have they not done it? Why have they not been sniping at people in shopping centers, collapsing tunnels, poisoning the food supply, cutting electrical lines, derailing trains, blowing up oil piplines, causing massive traffic jams, or exploiting the countless other vulnerabilities that, according to security experts, could so easily be exploited?

One reasonable explanation is that almost no terrorists exist in the United States and few have the means or the inclination to strike from abroad.

Mueller then looks at the improvements in homeland security since 9/11. Commenting on the remaining gaps in elements of the nation’s infrastructure protection and border security, he wonders why terrorists haven’t struck again. He offers several explanations for this fact (a well-integrated U.S. Muslim community, terrorists biding their time), but then dismisses these arguments. Instead, he prefers this argument:

A fully credible explanation for the fact that the United States has suffered no terrorist attacks since 9/11 is that the threat posed by homegrown or imported terrorists — like that presented by Japanese Americans during World War II or by American Communists after it - has been massively exaggerated. Is it possible that the haystack is essentially free of needles?

Mueller goes on to try to defend this hypothesis by references to the fact that the FBI has uncovered few terrorist plots or groups in the United States since 9/11 (which is true, at least in the official record), by citing improved international cooperation in combating the terrorist threat, and by arguing that (in other words) that al-Qaeda has lost its mojo.

This entire chain of logic in the piece, as briefly summarized above, is flawed in its failure to note these three real phenomena:

1. Deterrence: Mueller fails to consider or acknowledge that new protective and/or intelligence measures by the United States and other countries have had a deterrent effect on the movement, entry, and activities of potential terrorists for U.S.-based plots, above and beyond their protective and interdictive functions.
2. Layered Security: In Mueller’s identification of gaps in homeland security, he writes as if these weaknesses are single points of failure that should lead directly to an attack, not considering the fact that there are multiple layers of security in our system, none of them flawless, but that together make it more difficult to plan and execute an attack.
3. Desire to Surpass 9/11: Mueller doesn’t even mention the solid hypothesis that al-Qaeda is biding its time in terms of attacking the United States so that its next attack will be equal to or more “spectacular” than 9/11. For example, the revelations in Ron Suskind’s recent book “The One Percent Doctrine” about the ‘mubtakkar’ subway plot support this theory.

Finally, the last section of the article throws out these cheap canards:

But while keeping such potential dangers in mind, it is worth remembering that the total number of people killed since 9/11 by al Qaeda or al Qaeda-like operatives outside of Afghanistan and Iraq is not much higher than the number who drown in bathtubs in the United States in a single year, and that the lifetime chance of an American being killed by international terrorism is about one in 80,000–about the same chance of being killed by a comet or meteor.

It drives me crazy when people use statistics in this fashion to try to demean the risks that we face from international terrorism. And Mueller uses them in very misleading ways. First, they’re highly selective - notice the decision to remove Afghanistan and Iraq from the totals. Second, they’re wrong. This document notes that there were 341 bathtub drownings and 332 bathtub drownings in recent given years (2000, 2003). Assuming that this statistic falls within a predictable range each year, it’s a lot lower than the combined casualties from al-Qaeda-related attacks in Madrid, London, Moscow, Amman, Riyadh, and Bali, among many other cities, over the past five years. (Did Foreign Affairs fact-check this? And the comet/meteor statistic?) Third, it’s misleading to compare accidental deaths, which government in most cases has little ability to prevent beyond existing product safety activities, to acts of international terrorism where government’s role is paramount and the consequences of an attack far exceed its raw casualty total. Fourth, and most importantly, this type of analysis is retrospective, failing to acknowledge that future attacks could be much more severe then anything we’ve seen so far.