"Experts: U.S. security fundamentally flawed"

Thursday, September 26, 2002

Experts: U.S. security fundamentally flawed 
By Christian Bourge
UPI think tanks corresponent
>From the Think Tanks & Research Desk
United Press International


WASHINGTON, (UPI) -- Americans must make a complete change in how they
approach security policy and how they act to protect vital facilities
and infrastructure in order for such efforts to effectively deter
terrorist attacks, leading think tank authorities on security issues
said.

"We are going to have to fundamentally alter our mindset about
security," Brian Michael Jenkins, a senior adviser to the president of
the RAND Corp. and a research associate at the Mineta Transportation
Institute, told United Press International. "Our obstacles are partly
institutional and partly due to institutional thinking and mindset."

Jenkins, who is considered one of the world's leading authorities on
political violence and terrorism, was a member the White House
Commission on Aviation Safety and Security during the Clinton
administration, and co-authored the book "Aviation Terrorism and
Security."

He said more thought and effort has been spent in the United States on
making the supermarket checkout process efficient than has been put into
implementing effective security design in most situations, such as
airports.

Security is a complex issue that involves the implementation of broad
policy decisions at the local, state, federal and international levels,
through a tangle of agencies. But at its most immediate level, it
involves on-the-ground deployment of technology and personnel to protect
public and private facilities from illegal entry or attack.

But according to experts in the field, there is a general over-reliance
on technology and poorly trained personnel to provide security in the
United States. This -- coupled with a poor understanding of security
design and unrealistic expectations about what such efforts can
accomplish -- together ensure that typical security measures are
ineffective, they say.

Since the Sept. 11, 2001, terror attacks, every major defense company in
American has named a vice president for homeland security, and begun
developing technology that it hopes to sell to the government and other
agencies in charge of security.

But Jenkins and other experts argue that machines and technology are not
a silver bullet for the security problem, though efforts by government
and the private sector to beef up security at airports and other
potential terrorist targets is based heavily on the introduction of new
technologies.

"We have depended much more on the development of technology and
deploying that technology than on the human engineering, ergonomics and
operator issues involved in making the machines as effective as possible
with appropriate training," said Jenkins.

Bruce Schneier, an expert on computer security and the co-founder of
Counterpane Internet Security, a company that provides security for
corporate and government computer networks, said that the American view
of technology as the fix for all problems ignores the reality of how
security functions.

"America is enamored with technology, they want the pill that will make
them better," said Schneier, who rose to prominence in the computer
security realm as a creator of computer codes and ciphers. His book
"Applied Cryptology" is considered the bible of the field.

"Americans don't like to think," he said. "Americans don't like it
fuzzy, we don't like to not have an answer."

security is a complicated process that is prone to failure and needs
human creativity to ensure its effectiveness, he said.

"If you want to have real security, what works is having people figuring
out what is going on in real time, inventing new ways of dealing with it
and solving it," he said. "That prevented the fourth plane from hitting
the U.S. Capitol."

Gary Anderson, director of the National Center for Unconventional
Thought at the Potomac Institute for Policy Studies, agreed that making
technology the main barrier to threats is not the answer to protecting
against the asymmetrical nature of terrorism.

"There are a lot of pluses for technology, but what you have got to be
able to do is anticipate the way your opponent is thinking -- and
technology can not provide this," said Anderson, who is a former colonel
in the Marine Corps and executive director of the Center for Emerging
Threats and Opportunities at the Marine training center in Quantico, Va.

"My perspective is that that the vast majority of security, particularly
against asymmetrical threats, is not in technology. It is in the mind of
the beholder," he said. "This is counterintuitive to the American way of
thinking that technology is the solution to everything."

Schneier has also argued that in the case of airline security since
Sept. 11, the focus on how to better block terror threats misses the
point of security.

"Security isn't a barrier, it is deterrence," he said, noting that a
common misconception about the nature of security is that it can stop
hostile actions, when in fact all it can do is act to discourage them.

He added that though this "philosophical difference" needs to be
recognized, the fact is that security efforts will not stop terrorism
because all security measures are inherently open to attack and can
likely be bypassed in some way.

"Terrorism will always be with us. Terrorism is inevitable like murder
is inevitable," he said. "Yet we can live relatively safely."

According to Jenkins, no amount of technology would have prevented what
happened on Sept. 11. In fact, the terrorists that hijacked the planes
did not even violate set security rules or procedures for American
airports at the time, he said.

Anderson says this demonstrates the problem with static security system
designs that rely on set regulations or hurdles: They that establish
regular patterns and weaknesses that can be exploited for an attack.

He contrasted this to the way in which North Vietnamese soldiers were
trained to look for openings in American machine gun fire during battle,
to find areas to attack. Terrorists, by nature, analyze security
procedures and find the weaknesses in the model, he said.

Schneier added that technology provides another level of weakness, in
that there are always parts of computer or engineering designs that can
be exploited.

Jenkins said he believes the over-reliance on technology and the
mismanagement of security in the United States is at least partially the
result of the growth in the privatization of security. Profit-driven
firms that have to compete for contracts face cost constraints that lead
to limitations in the training of their security staff, he said.

Nearly 2 million people are employed in the private security industry,
which exceeds $100 billion dollars a year in revenue, he said. But this
is a highly competitive sector in which contracts are awarded to the
lowest bidder. As a result, salaries for security personnel hover near
the minimum wage, which generates turnover rates that Jenkins said run
as high as 400 percent.

"The training has been of poor quality, unimaginative, and really not
aimed at creating well trained, highly motivated security forces," said
Jenkins.

Jenkins said that beyond improving training, more attention must be paid
to how individuals are chosen to do security work. He said that basic
aptitude testing should be part of this process.

Most important, said the analysts, was the need to design security
systems as layered models that avoid the "castle and moat" approach to
security that prevails in American security. Under this model, if the
main barrier fails, then access is gained to the secured area.

Such a layered design structure is based on the assumption that security
measures will inevitably fail, so multiple tiers of security are created
to provide back-ups for system failures at each level. The idea is not
to design a system that is impregnable, which is impossible, says
Schneier, but rather to design a system that "fails well," in ways that
enable security to be maintained. The key is that each layer of security
must be well integrated into the overall system in order to provide
effective deterrence.

An example of the lack of this wholly systemic approach to airport
security is the hodgepodge of rules that make up the air transportation
security model.

"Each procedure is in response to some specific event in the past, so
what we have in accumulation is a series of responses to what are for
the most part unconnected events and threats," said Jenkins. "We don't
have a web of security."

Schneier added that many of the policy decisions about domestic security
have been made to calm people's fears, not to truly improve security.

In the case of airline security, a series of inadequate checks --
whether they occur at the entrance to the concourse or at the boarding
gate -- do not add up to an effectively layered security system, he
said.

"There are concerns about security and more concerns about perceptions,"
said Schneier. He added that the odds of being on a hijacked plane are
actually quite low. "It is all about the perception of security, and
beyond that is the reality, which is that it is safe to fly."

"Taking away tweezers from little old ladies is not going to make any
difference," he added.

Schneier said some of the responses from the federal government, such as
tracking down the financing of terrorist networks and increasing the
surveillance of foreigners entering the country, are good security
responses.

"We are doing some of the right things," said Schneier. "If the criminal
isn't here, or can't get here, he can't pose a risk."

Nevertheless, he said that American security efforts create danger
because they focus mostly on the last line of defense at the potential
target.

"(Security) has always failed, and will continue to. Your skin will
never stop a bullet," said Schneier.

Jenkins says that policymakers must do all they can to improve the
effectiveness of security in the United States, in part because poor
security has huge economic risks. This was demonstrated by the shutdown
in airline business following Sept. 11.

"We have to have an approach that is going to be realistic in our
appraisal of risk and resilient in its model," said Jenkins. He believes
that because of the economic risks, commercial pressures will ultimately
"oblige us to begin thinking more strategically."

For Anderson, it is impossible to overstate the importance of creativity
and flexibility in security system design. He said that the key to
enabling creativity lies at the local level, with those in charge of
security at individual facilities.

"You have to empower the local security managers to do things, and
perhaps to change things independently every day," he said. 

Anderson also said that mystery must be built into the design of any
security system, to foil terrorists. This can be accomplished by making
random, unscheduled changes to security measures to ensure that patterns
are kept to a minimum.

All three analysts agreed that in most cases, creativity was the key
element missing from security policy and the design of security systems.

"What we need is thinking," said Schneier. "People need to think about
the problems and the best way to solve them, and not just do random
things in case they will work, which is really what we are (still)
seeing."


 Do you have an opinion about this story?
Share it with other readers in our CAA Discussion Forums

http://www.californiaaviation.org/cgi-bin/dcforum/dcboard.cgi?conf=DCConfID8

*****************************************