SeekerBlog

There are now five posts in the SeekerBlog Homeland Security series, and more to come. Click here for the complete set.

Revised 11 April: Is it time to get serious about Homeland Security? To focus on the likely economic disruption, and what policies could dramatically reduce losses, both human and economic?

Every western democracy has similar issues — all are on the Islamist targeting radar. All are part of the global trade network, which is the most sensitive target. Apologies in advance that most of my references are papers by U.S. think tanks – please substitute the equivalent terms for your country.

Where can the reader find credible information on security policy issues? An efficient source is the 2004 book by Stephen Flynn: "America the Vulnerable". This is a small book, well-written so that the reader can digest the 170 pages efficiently (before getting into the extensive notes and references). It is a practical, management-text-style prescription for reducing the risk and impact of terror. The author is one of the most qualified to advise on this topic. He was the lead author of the final report of the Council on Foreign Relations (CFR) Hart-Rudman Independent Task Force on Homeland Security "America: Still Unprepared, Still in Danger". (Complete CFR biography here.)

In the following I’ll also draw on the U.S. Commission on National Security/21st Century, the Hart-Rudman Independent Task Force on Homeland Security (PDF), and other papers and testimony (more links at the end of this post).

Since 9/11 it has become clear to me that the highest homeland-security priority is to minimize economic disruption from terrorist attacks. In the aftermath of an attack, such disruption will be largely self-inflicted by government agencies driven by the demands of a frightened public. The media focus on the tragedy of loss of life allows the pundit to elicit the most emotional impact and drama. As terrible as that prospect is, America will recover from the loss of human life —recovering from the economic consequences is another matter.

The first goal of leadership should be to inform and involve the public, beginning with these essential principles:

1. Start here: treat the citizens as adults, and ensure they are fulling informed of the real risks (we’re not telling the terrorist planners anything they don’t already know). The policy debate must be framed around risk-management, with prevention as a tactic rather than the sole objective. Acknowledge that the risk of terror attacks can be reduced, but can not be eliminated.
2. Every citizen and business must be an active part of effective security measures (this is not a job just for the Bureaucracy).
3. Because the vast majority of at-risk assets are privately owned and managed, it follows that security initiatives must incentivize action by the owner-operators, whose shareholders will not support capital investment and operating expense unless the competitive playing field is leveled.
4. There are no quick-fix policy options. Effective policies will take years to implement.
5. Effective security is also a powerful deterrent: terrorist leaders do not want to invest years preparing attacks that are likely to fail, and which are unlikely to produce the catastrophic effects they seek. Or that risk the loss of senior operatives, who are few in number.

There is urgency to achieve policy focus now, because we can only design effective policy between attacks. After an attack, Congress will rush to implement policies that are at best ineffective, or that will make the security risk worse. For example, three Case Studies of what not to do:

1. Legislation to "seal the Mexican border" had results exactly like the "War on Drugs" – it created a nursery-garden to grow, nurture and support organized crime). Result: more and more dangerous threats crossing the Mexican border every day.
2. The TSA (Transportation Security Agency), the hugely expensive and largely useless aviation security measures legislated in the aftermath of 9/11. The two biggest improvements for aviation security are: (1) harden the cockpit door; (2) change the behavior of the passengers. Everything else has been ineffective, at huge cost.
3. The "9/11 Commission". While there was useful background information in the staff reports, the member posturing for the media obscured the results. Now we have the un-informed "intelligence reforms" which seem to have satisfied the media, but have accomplished nothing.

If the networks that the U.S. economy (and thus the global economy) depend upon are left unprotected, the post-attack economic impact will be severely damaging. There are many scenarios where attacks on today’s transportation, energy, chemical, food or communications networks will produce an almost unimaginable economic disaster. Such economic consequences will be self-inflicted, unless the voting public have confidence that the vulnerability will be effectively contained by the systems and procedures already in place.

There are no-regrets policies that will drastically reduce such post-attack economic losses, and will also reduce the impact of non-terror events (whether natural disasters, chance events like mad cow disease, or technical faults like electrical grid failures). That’s why I use the term "no-regrets".

Case Study – Container Security: 90% of the world’s general cargo now moves via the intermodal container system from the supplier to, say, your Safeway or Walmart. If there is a glitch in that network it can be "equivalent to a man tripping at the base of a crowded down escalator" (Flynn). Recall how the U.S. shut down air transport post 9/11? Recall what happened to air travel activity, to the airlines? That was insignificant compared to what would happen if even more vulnerable networks were attacked.

Consider what would happen if tomorrow a dirty-bomb explodes in the Port of NY (see also Footnote #2). Today containers are a free-ride for your terrorist – who can ship anything from a human terror-team to a fission nuclear weapon anywhere they wish inside a container. Trust me – under the existing April, 2005 security procedures, it can be done, and if you read Flynn you’ll know some of the techniques. From one to three weeks later automotive assembly lines are stopped and your Walmart shelves are going bare. Here is Stephen Flynn testifying before the U.S. Senate Governmental Affairs Committee, March 2003:

Thus, for would-be terrorists, the global intermodal container system that is responsible for moving the overwhelming majority of the world’s freight satisfies the age-old criteria of opportunity and motive. "Opportunity" flows from (1) the almost complete absence of any security oversight in the loading and transporting of a box from its point of origin to its final destination, and (2) the fact that growing volume and velocity at which containers move around the planet create a daunting "needle-in-the-haystack" problem for inspectors. "Motive" is derived from the role that the container now plays in underpinning global supply chains and the likely response by the U.S. government to an attack involving a container. Based on statements by the key officials at U.S. Customs, the Transportation Security Administration, the U.S. Coast Guard, and the Department of Transportation, should a container be used as a "poor man’s missile," the shipment of all containerized cargo into our ports and across our borders would be halted. As a consequence, a modest investment by a terrorist could yield billions of dollars in losses to the U.S. economy by shutting down-even temporarily-the system that moves "just-in-time" shipments of parts and goods.

Given the current state of container security, it is hard to imagine how a post-event lock-down on container shipments could be either prevented or short-lived
. One thing we should have learned from the 9-11 attacks involving passenger airliners, the follow-on anthrax attacks, and even last fall Washington sniper spree is that terrorist incidents pose a special challenge for public officials. In the case of most disasters, the reaction by the general public is almost always to assume the event is an isolated one. Even if the post-mortem provides evidence of a systemic vulnerability, it often takes a good deal of effort to mobilize a public policy response to redress it.

But just the opposite happens in the event of a terrorist attack—especially one involving catastrophic consequences. When these attacks take place, the assumption by the general public is almost always to presume a general vulnerability
unless there is proof to the contrary. Government officials have to confront head-on this loss of public confidence by marshalling evidence that they have a credible means to manage the risk highlighted by the terrorist incident.
In the interim as recent events have shown, people will refuse to fly, open their mail, or even leave their homes.

Today we don’t know for sure what was originally loaded into that container. We don’t know what or who may have been added before it arrived at a U.S. port. We don’t know where the box has been. We don’t know if the box that was supposed to move from Paris to Rotterdam in 12 hours actually took 30 hours for unknown reasons.

Today’s "trust but don’t inspect " technique offers little protection – if you were a terrorist, where would you place your dirty-bomb? Personally, I would work out how to get it into one of those "trusted containers" from, say, Mercedes Benz – existing container security wouldn’t keep out an active teenager. See the world, ride a container.

Please keep in mind that implementation of effective security measures will often yield operating economic benefits to the private owners – while reducing related governmental costs and taxes. Time is literally money in the transport business, and for the just-in-time customers at both ends of box movements.

How can this vital segment of the Globalization network be made secure and resilient (i.e., the public and Congress are not driven to shut down the network post-attack)?

The intermodal container business is a very big business, run by some very savvy people, such as John Meredith, head of Hutchison Port Holdings, a $5 billion company that handles a huge proportion of this trade. In the book Flynn recounts how John Meredith has struggled to scale the walls in Washington attempting to discover who he can work with to address the container security problem. Meredith knows the vulnerability. And he knows that Hutchinson, by itself, cannot solve the "what is in the box?" problem (in the trade, the containers are "boxes"). Hutchinson alone could not even implement GPS tracking, content-assurance sensors and other controls – because the containers they service are owned by many unrelated companies. Any port-specific security requirements Hutchinson implemented would also make their channel more costly to shippers than alternative channels with no security.

Securing the intermodal container network requires capital investment and process changes. For the economics to work, we need a level-playing-field solution, which in turn requires international agreement on the regulations. The "good news" is the concentration of the business – about 70% of the containers destined for U.S. ports originated or moved through four terminal operators: Hutchison Port Holdings, P&O Ports, PSA Corporation, and Maersk-Sealand. Given a consensus of these four operators, the associated government cooperation might just follow.

I’ll attempt to summarize what the new, secure intermodal transport system would look like. Most of this comes from Flynn’s papers, testimony and book – I apologize in advance to Dr. Flynn if the model I’ve acquired reflects poorly on his efforts. Once private operators and regulators work out the most cost-effective solutions, the details will surely be somewhat different:

1. This is a Layered-Defense-in-Depth, similar to how we implement computer security systems.
2. The system is Auditable, meaning the location and means of intrusion leading to a terror event can be quickly isolated.
3. All originating ports implement a Red Lane/Green Lane system. This is a powerful incentive for the private operators feeding the port to upgrade to the new standards, such as verifiably accurate documentation, so they can enjoy the Green Lane. Green lane shippers are certified/accepted as compliant, so their boxes incur the least delays and "friction", which translates directly into a competitive cost/time advantage.
4. Green Lane shippers comply with a set of standards establishing "trust" in their whole system – from personnel to records to content-sensors to location/time tracking of boxes.
5. The contents of each box are recorded and verifiable at any state of transport. These records travel with the box in encoded chips, or preferably are transmitted and data based (time-stamped digital scans of the interior of each box empty, half-full and full, etc.)
6. The location of each box is GPS-tracked 24/7 by a transponder that will alarm if removed or tampered. That means that the location of each box is computer-logged in both time and space. If the transponder alarms or goes off-line, that box obviously goes on the alert board. If on land, it will not get into a container port until cleared. Similarly, if at sea, that ship will not land until the concern is resolved.

There are other measures, but that’s enough of an outline. How do we evaluate whether the system is resilient? A thought experiment: suppose that an incident has occurred in the Port of Seattle. Two days later the audit has identified the originating shipper, the bribed workers, and exactly where the box was compromised. Is the Port of Seattle Longshoreman’s Union now ready to go back to work? Or will they call for a lock down of all U.S. Ports?

Footnotes:

(1) Risk Management – in the context of container security (see Ref #7):

At its heart, risk management presumes that there is a credible means to (1) target and safely examine and isolate containers that pose a potential threat, and (2) identify legitimate cargo that can be facilitated without subjecting it to an examination. The alternative to risk management is to conduct random inspections or to subject every cargo container to the same inspection regime. Risk management is the better of these two approaches for both economic and security reasons. The economic rationale is straight forward. Enforcement resources will always be finite and delays to legitimate commerce generate real costs.

Less obvious is the security rationale for risk management. There is some deterrent value to conducting periodic random inspections. However, since over ninety percent of shipments are perfectly legitimate and belong to several hundred large importers, relying on random inspections translates into spending the bulk of the time and energy on examining those containers by the most frequent users of containerized cargo who are most likely to be perfectly clean.

Examining 100 percent of all containers is not only wasteful, but it violates an age-old axiom in the security field that if “you have to look at everything, you will see nothing.” Skilled inspectors look for anomalies and invest their finite time and attention on that which arouses their concern. This is because they know that capable criminals and terrorists often try to blend into the normal flow of commerce, but they invariably get some things wrong because they are not real market actors. But, an aggressive inspection regime that introduces substantial delays and causes serious disruption to the commercial environment can actually undermine an enforcement officer’s means to conduct anomaly detection. Accordingly, allowing low risk cargo to move as efficiently as possible through the intermodal transportation system has the salutary security effect of creating a more coherent backdrop against which aberrant behavior can be more readily identified.

(2) The Next Attack (see Ref #2). There are many frightening scenarios, which can easily distract from focusing on the type of solutions that will work. So I chose not to include any in the main part of this post. To emphasize the magnitude of possible economic damage, consider the following scenario — an attack on the global trade system:

My nightmare scenario, which is one that comes from spending a lot of time talking and seeing how this operates, is a hardware kind of thing. The scenario I lay out in chapter 2 of my book, called "The Next Attack," involves essentially four dirty bombs: one here in Port Elizabeth; another on the Ambassador Bridge, the world’s busiest commercial crossing between Windsor, Ontario, and Detroit, Michigan, where virtually all our automotive industry moves their stuff back and forth; the other is in the Port of L.A.; and the last is in Miami, in the Free Trade Zone. These four dirty bombs go off.

The response by the U.S. government is to immediately close all our seaports and to close the borders. The longshoremen won’t work. The Teamsters won’t drive the trucks. The mayors are saying, "I don’t want any trucks and trains coming into my city," because the terrorists come on Al-Jazeera about six hours later and say, "We have three nukes, not dirty bombs, that we’ll set off if you don’t get out of the Middle East."

The cascading effects are that within two weeks the entire global trade system essentially collapses. It’s because essentially this all has to keep moving to keep moving. I describe it as like being at the bottom of a very long escalator and tripping, and then everything comes crashing down. When we close our seaports, essentially all the ships that were destined to unload goods have to anchor out. Then the terminals overseas, particularly in places like Hong Kong and Rotterdam and Singapore, have to close their gates immediately to all incoming trucks because they have no place to put them; they will be in the cement mix bowl of containers. That means every truck and train coming into the terminal is stuck with a container on its back with no place to go. That means back at the factory with goods to ship there’s no truck or train to pick it up.

References: Each of the networks that the global economy depends upon require similar careful consideration and practical security solutions: food supply, chemicals, electrical production and distribution, nuclear materials, … More to come in subsequent posts. Meanwhile, please consider these references:

1. The Department of Homeland Security: The Way Ahead After a Rocky Start, Written Testimony before a hearing of the Committee on Homeland Security and Governmental Affairs, U.S. Senate, 01/26/05.
2. America the Vulnerable: How Our Government is Failing to Protect Us from Terrorism, Stephen Flynn, Edited transcript of remarks, 1/25/05 Carnegie Council Author in the Afternoon (Merrill House, New York City).
3. Our Hair Is on Fire, Leslie H. Gelb, Warren B. Rudman, Stephen E. Flynn, Gary Hart, Wall Street Journal, 12/16/04.
4. The Neglected Home Front, Stephen E. Flynn, Foreign Affairs, 09/01/04.
5. The Ongoing Neglect of Maritime Transportation Security, Written Testimony before the
   Subcommittee on Coast Guard and Maritime Transportation, 08/25/04.
6. Why America Is Still An Easy Target, By Stephen Flynn,
   07/26/04.
7. The Fragile State of Container Security, Stephen E. Flynn, Ph.D., Written Testimony before a hearing of the
   U.S. Senate Governmental Affairs Committee, 03/20/03.
8. CFR Task Force – America Still Unprepared (PDF) , 10/17/02.
9. Bolstering the Maritime Weak Link, Stephen E. Flynn, presented before the
   United States Senate
   Committee on Governmental Affairs, 12/06/01.
10. National Security in the 21st Century: Findings of the Hart-Rudman Commission, 09/14/01.