Schneier on Security
A blog covering security and security technology.
« Interview with an Adware Developer |
| Jon Stewart on Closing Guantanamo and Movie-Plot Threats »
January 30, 2009
Jeffrey Rosen on the Department of Homeland Security
The same elements of psychology lead people to exaggerate the likelihood of terrorist attacks: Images of terrifying but highly unusual catastrophes on television—such as the World Trade Center collapsing—are far more memorable than images of more mundane and more prevalent threats, like dying in car crashes. Psychologists call this the "availability heuristic," in which people estimate the probability of something occurring based on how easy it is to bring examples of the event to mind.
As a result of this psychological bias, large numbers of Americans have overestimated the probability of future terrorist strikes: In a poll conducted a few weeks after September 11, respondents saw a 20 percent chance that they would be personally harmed in a terrorist attack within the next year and nearly a 50 percent chance that the average American would be harmed. Those alarmist predictions, thankfully, proved to be wrong; in fact, since September 11, international terrorism has killed only a few hundred people per year around the globe, as John Mueller points out in Overblown. At the current rates, Mueller argues, the lifetime probability of any resident of the globe being killed by terrorism is just one in 80,000.
This public anxiety is the central reason for both the creation of DHS and its subsequent emphasis on showy prevention measures, which Schneier calls a form of "security theater." But that raises a question: Even if DHS doesn't actually make us safer, could its existence still be justified if reducing the public's fears leads to tangible economic benefits? "If the public's response is based on irrational, emotional fears, it may be reasonable for the government to do things that make us feel better, even if those don't make us safer in a rational sense, because if they feel better, people will fly on planes and behave in a way that's good for the economy," Tierney told me. But the psychological impact of DHS still has to be subject to cost-benefit analysis: On balance, is the government actually calming people rather than making them more nervous? Tierney argues convincingly that the same public fears that encourage government officials to spend money on flashy preventive measures also encourage them to exaggerate the terrorist threat. "It's very difficult for a government official to come out and say anything like, 'Let's put this threat in perspective,'" he told me. "If they were to do so, and there isn't a terrorist attack, they get no credit; and, if there is, that's the end of their career." Of course, no government official feels this pressure more acutely than the head of homeland security. And so, even as DHS seeks to tamp down public fears with expensive and often wasteful preventive measures, it may also be encouraging those fears—which, in turn, creates ever more public demand for spending on prevention.
Michael Chertoff's public comments about terrorism embody this dilemma: Despite his laudable efforts to speak soberly and responsibly about terrorism—and to argue that there are many kinds of attacks we simply can't prevent—the incentives associated with his job have led him at times to increase, rather than diminish, public anxiety. Last March he declared that, "if we don't recognize the struggle we are in as a significant existential struggle, then it is going to be very hard to maintain the focus." If nuclear attacks aren't likely and smaller events aren't existential threats, I asked, why did he say the war on terrorism is a "significant existential struggle"? "To me, existential is a threat that shakes the core of a society's confidence and causes a significant and long-lasting line of damage to the country," he replied. But it would take a series of weekly Virginia Tech-style shootings or London-style subway bombings to shake the core of American confidence; and Al Qaeda hasn't come close to mustering that frequency of low-level attacks in any Western democracy since September 11. "Terrorism kills a certain number of people, and so do forest fires," Mueller told me. "If terrorism is merely killing certain numbers of people, then it's not an existential threat, and money is better spent on smoke alarms or forcing people to wear seat belts instead of chasing terrorists."
Posted on January 30, 2009 at 11:38 AM
• 25 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Just because there are greater threats doesn't mean you disregard something altogether. And it is much different to deal with something intentional than it is something accidental, not in terms of probability but in terms of stopping or reducing it.
You are absolutely correct. And you are arguing a point I don't think I have seen challenged around here.
The topic of debate is "what" a proper response is.
Urban: "You are absolutely correct. And you are arguing a point I don't think I have seen challenged around here. The topic of debate is "what" a proper response is."
The point usually does get argued on this blog in terms of probability, for which they are correct, it is less probable.
What my post is about is in response to statements like this from the original post: "money is better spent on smoke alarms or forcing people to wear seat belts instead of chasing terrorists." Statements like that are basically saying that since terrorists attacks are rare by comparison, that we shouldn't bother addressing it and should spend the money on something else. I think we need to deal with both of them, and terrorism will naturally be more expensive than smoke alarms, but that does not mean it should be ignored. To answer your last comment, I don't think ignoring it because it is more expensive that smoke alarms is a proper response.
It takes much more time and money to catch a murderer than any number of other life saving things, but that doesn't mean we ignore it. Same concept.
Part of what the DHS was originally marketed as doing was facilitating communication between government security departments (FBI, CIA, Police, etc). This is a good thing, more communication will actually help. The problem is that the DHS doesn't just do this, it tries to do the jobs of every department it communicates with as well, and engages in fearmongering as well.
@SAI: "Part of what the DHS was originally marketed as doing was facilitating communication between government security departments (FBI, CIA, Police, etc). This is a good thing, more communication will actually help. The problem is that the DHS doesn't just do this, it tries to do the jobs of every department it communicates with as well, and engages in fearmongering as well. "
It's ironic. I often defend DHS here against some criticisms, because I understand what they try to do (even if I don't agree with how they do it), and I don't ascribe some of the nefarious motives to them others do. I don't even think they do all that much fearmongering.
But, and this is the ironic part, despite my defense against some criticism, if I were ever president I would probably shut them down since the moeny could be better spent elsewhere (or in many cases nowhere). Of course, I'll never be president, so DHS is likely here to stay.
Actually, in my view it is perfectly rational to compare natural threats to man-made ones. Not just because a hurricane can kill you just as dead as a terrorist bomb, but because resources dedicated to managing one threat are necessarily not dedicated to managing the other.
In addition, no risk is really understandable in its own right -- it is necessary to normalize risk to other risks of which we have routine experience, if we are to react rationally to new risks. It makes sense to compare death-by-terrorist to death-by-traffic-accident precisely because it makes no sense to accept an increase in (admittedly impersonal) expected traffic deaths in exchange for a much smaller decrease in expected (intentional) terrorism deaths, if a cost-benefit analysis shows that this is the expected result of transfering resources from transportation infrastructure to counterterrorism.
This is just a silly example (since no transportation bill has ever been less than stuffed with pork in the US), but it works as an illustration. In a situation of limited resources, all risks are comparable, and should be compared. The "intentionality" of the risk is irrelevant, if the object is to save as many lives as possible with the existing resources.
Nice post, and fair enough. I agree in some ways. I am a big fan of strategies that can be used in a wide range of scenarios.
For a completely rational budgeting process for security, each dollar should be spent where it will save the most lives. Of course you have diminishing returns, such that spending ALL of your budget on smoke alarms or seat belts is probably not the rational course. So after allocating each dollar, the best place to spend the next dollar may change. Of course this is impossible to do in real life, but we can hope to approximate it.
Such a procedure may well end up with no money spent on anti-terrorism activities. And if so, then that is the most rational course of action. That terrorism is an intentional activity carried out by humans who wish us harm doesn't change that simple fact.
What it does change is the idea that terrorism's small number of deaths means that no money should be spent on it. It's quite possible that terrorism would be significantly more deadly if no money were spent to fight it, in which case at least some money should go there, although probably much less than current spending levels (and spent in different ways).
But the idea that terrorism should be fought simply because it's carried out by people doesn't make any sense.
I think you make some really good points. I think that is one problem with expensive preventative measures directed at preventing rare but potentially devastating events. When nothing happens, the people doing the prevention claims it is because their tactics work, and those who disagree say it is because nothing would have happened. Conversely, those same groups would argue that an incident is proof the threat is real, and also proof the tactics don't work.
We simply don't have the money we are spending. It's that simple. I think we need to spend less money in smarter ways.
You're absolutely right. The "there have been no terrorist attacks in the last 7 years, therefore we don't need any protection from them" argument is no better than the "there haven't been any attacks, therefore DHS is doing a great job" argument. All I want is rational thought going into funding allocation, and realizing that at the end, someone who dies from an airplane hijacking is no more dead than someone who dies from a house fire brought on by a faulty hairdryer.
The US federal government definitely needs to realize, at some point, that there are limits on the money they can spend, and start cutting back on things no matter how much it hurts.
Even if an organization like the DHS was shut down, that wouldn’t mean that _no_ money was being spent on combating terrorists. They are still criminals after all, and you still have perfectly competed law-enforcement organizations to go after criminals, don’t you?
One of the main problems the DHS has is that it is a facilitator without authority.
It has to make various three letter agencies who are more intrested in cutting each others throats talk to each other rationaly without the authority to enforce it...
With regards to deployment of resources and terrorism there are three main points
The first is defence through knowledge which is what the various Intel agencies should be doing.
The second is post event response such as training for first responders and sensible disaster response planning.
Thirdly is the triage level society is prepared to accept.
It is this third aspect where the real resource allocation trade offs happens. As a society we have to accept that people die from non natural causes.
It does not matter if it is an "act of god" or an "act of the devil" we have to decide what level of prevention we apply.
However there are two difficulties with this firstly is the very human but unrealistic response to equiprobable events in that accidents are "a part of life" where acts of terrorism are "outrages against humanity", therefore we routinely accept many many thousands of deaths each year due to vehical "accidents" but are outraged by deaths by terrorism that rank alongside that of deaths by lightning strikes etc.
Secondly is most humans have difficulty with the exponential nature of cost to risk reduction.
Expecting a rational level of triage to be excersied within these two constraints is a little like expecting pigs to fly unassisted.
This is not helped by the fact that natural disasters and terrorist events have a very very low probability of occuring at any given place or time.
Rationaly the low probability sugests that an equally low level of resources should be deployed.
However unlike natural disasters there is a corelation between events and spending. This is almost identical to the standard cost model for millitary defense (ie you only know when you have not spent enough, you have to guess when you have spent to much). This model also applies to Intel costs.
However natural disasters terrorism and more normal events have very similar outcomes. Does it matter if a horel is burning due to an accident or from a bomb the results are effectivly the same.
This sugests there are significant oportunities in response spending. That is the additional training required for dealing with a low probability event such as a natural disaster or terrorist event is marginal at best compared to that required for more probable events such as fires and vehical accidents.
Therefore the additional training costs to first responders is sufficiently small that it is more nearly proportianal to the probability of a low probability event.
Therfore resources spent on response training tend to be on the part of the exponential cost cure that appears nearly linear, and therfore represents the best returns on resources deployed.
The resources deployed on Intel should be proportianate to that of other similar law enforcment deterance such as that for serious organised crime.
"The problem is that the DHS doesn't just do this (facilitate communication with other agencies), it tries to do the jobs of every department it communicates with as well, and engages in fearmongering as well"
EXACTLY. And to elaborate on points made by HJohn and Michael Ash, it is not an issue of "shut DHS down and allocate NO funds" but changing how DHS functions based upon the original premise it was developed under.
Appoint a director of DHS with strong security/risk management & assessment background (someone, like, say, Bruce ) and a core committee of folks who have ties/contacts/experience with each of the core intelligence groups at the federal level (NSA, FBI, CIA). Included would be representatives to work with state and local law enforcement interests.
Obviously, a rough draft, but you get the idea... a compromise between nothing and the bloated $40-Billion-Dollar-Shoe-Confiscating-Liquid-Banning-Security-Pacifier organization.
And to quote Dennis Miller... "but that's just my opinion, I could be wrong". Cheers all.
"When nothing happens, the people doing the prevention claims it is because their tactics work, and those who disagree say it is because nothing would have happened. Conversely, those same groups would argue that an incident is proof the threat is real, and also proof the tactics don't work."
For me, the easiest way of judging the merits of those points is looking for real world examples.
There was an attack on the WTC during Clinton's administration. And he took some specific actions. And there was not another attack on the WTC until Bush's administration.
So, it would seem that the baseline we have would be the actions that Clinton took.
@ Brandioch Conner,
"There was an attack on the WTC during Clinton's administration. And he took some specific actions. And there was not another attack on the WTC until Bush's administration."
This gives rise to a thought,
Has anybody looked at which party does worse for terorist incidents with regard to "it falling in their watch" with respect to the various elected offices and chambers?
I'd assume that there haven't been enough terrorist incidents in the US for such a study to be statistically meaningful, although I could very well be wrong. That's the trouble with terrorism risks, it's too rare to be easily evaluated with statistics.
@ Michael Ash,
"That's the trouble with terrorism risks, it's too rare to be easily evaluated with statistics."
And that is exactly what one of the issues is.
However as I mentioned above there are other issues.
One issue is that we belive there is a inverse corelation between alocation of resources and terrorism events.
That is we "assume" that with non natural events such as terrorim (Acts Of the Devil) when we spend to little or inefectivly a terrorism event will happen. When we spend sufficiently or effectivly then terrorism events do not happen.
However it is guess work as to whether the assumption is true or when we are spending to much or spending inefficiently. This is the classic security cost dilema.
Which is different to major natural events (Acts Of God) such as earthquakes, huricanes etc no amount of spending currently will stop them occuring (we do not have the knowledge and therfore the ability to stop them).
Therefore you have to harden your infrestructure and take measures to protect lives. You only know when you have spent to little when your infrestructure is damaged or the death toll is above acceptable limits (ie triage which is another issue).
The clasic response to natural (AOG) events in the modern world is improved building codes and emergency procedures. Both of which have an economic downside in that infrestructure becomes much more expensive to build and the procedures require resources to implement.
What stops these downsides being caps on society is technological advances.
In engineering terms you would view both the natural (AOG) and non-natural (AOD) event types as an impulse input into an open servo system where you only know the something is deficiant when the system fails. That is when it jumps the track or breaks.
The normal engineering solution to such open servo systems is to close the loop and aim to get a criticaly damped response erring on which ever side gives the desired loop response features.
But with random impulse input and a loop that cannot be closed (ie no feedback except system failure) you have no way of determaning when you have overdamped or underdamped the response of the system or if it is effective in operation.
Therefor the engeneering solution when the loop cannot be closed is normaly to err on the side of caution and to overdamp and put in secondary systems like end stops to keep the failure within acceptable limits (ie non catastrophic).
This producess a system that can be operated in one of three ways.
1, Where the system breaks catastrophicly and is replaced on failure.
2, Where the level of failure is not catastrophic but the level of damping is always increased.
3, Where the level of failure is not catastrophic and the level of damping is increased on failure but importantly then is decreased again over time.
The type 1 system is like a mass produced item in that it is designed neither to survive failiure or be repaired but is sufficiently low cost and easy to replace should it fail.
The type 2 system is one that becomes steadily more damped untill there are less and less failures, to the point you "assume" they are all damped out. However the level of damping is such that in the long term the system is not effective. This is like the development of Victorian beam enginees and pumps grossley over engineered by todays standards and extreamly ineffective.
The type 3 system accepts that you occasionaly hit the end stops but the short term cost of correcting the failure is less than the long term cost of prevention and with time becomes an effective solution. The system is usually designed such that it is resiliant but in an effective manner.
Usuall in the modern world there are only a couple of acceptable ways to operate a system. One is that you reduce system costs to a minimun and on failure you replace the system (type 1). The other is to accept that the system will fail from time to time but is built so failiers are non catastrophic but broadly effective (type 3).
Our choice is dependent on how well we can model failures and their costs which is another issue.
Generaly with low value systems you pick the first solution and with high value systems the second.
In the third world due to lack of resources, infrestructure and lives are generaly considered to be of a value such that the first solution is used.
In the first world, infrestructure and lives are considered sufficiently high value that the second solution is prefered where ever they are at risk.
This difference of view point on value of infrestructure and lives is yet another issue.
The second solution of a type 3 system is effectivly what we currently have for many natural events (AOG).
However it needs to be noted that less than a hundred years ago type 3 systems where not an option for natural events, which is why building codes where generaly of type 2.
This is a very important issue science and engineering advances made it possible and to most people they see it as technology solved the problem. And in the process has engendered the feeling that difficult problems can be solved if you throw enough technology at them.
What does not appear to be accepted by some is that technology cannot solve unknown problems from unknown problem domains (Black Swans).
Technology can only solve known issues that have been catagorised or those that fall within broad solutions to known problem domains.
However what is not commanly realised is that technology cannot help with problems that are not catogarised or have unknown probabilities.
Which brings us back to your issue about rare events for which statistics have not produced probabilities.
Technology can only prevent them if they fall within the limits of existing solutions to other previous events.
Which is realy the underlying issue with Bruce's "Security Theater"
But this but a single issue we must deal with the other issues as well.
A) We have to accept that resources are limited not just because they are finite but also because there use defines society and human progress.
B) We need to accept that there need to be failures in the system for it to be effective. Type 2 systems limit society and are ineffective compared to type 3 systems.
C) Therefor we should accept the consiquence of issues A and B is triage. That is we have to decide what the acceptable level of failures are against resources.
D) We must accept that the value of lives and infrestructure is not related to events. That is a life lost in a by a lightening strike is just the same value as a life lost by a terrorist bomb or bullet.
E) We must apraise the long term cost of prevention against the short term cost of replacment. That is we need to look at the value of deploying resources. For instance would we be better spending the DHS budget on providing safe drinking water and basic infrestructure to other parts of the world.
F) We therfore need to develop realistic models to analyse the costs of various forms of prevention and failure independant of political imperative.
G) We have to accept that our current assumptions may be wrong, that is, there may be no inverse ratio between non natural events such as terrorism and allocation of resources.
H) We also have to accept that there are always going to be predictable events we did not take preventative steps to stop. That is prevention is resource limited and non natural events will happen in those areas we did not cover.
I) We have to accept that there are not technical solutions to Black Swan problems.
J) We have to accept that technical solutions need to be for a broad range of events not specific events. That is making a device that picks up only nitrates will be easily avoided. But changing cockpit door design stops not just terrorists of many forms but drunken passengers as well (but does not stop suicidal pilots).
K) We realy need to accept that known but low probability events cannot be modeled and therfore cannot be dealt with effectivly by technology or policy.
There are other issues but adressing some if not all of these will make a significant improvment.
@HJohn and others
Another thing Bruce frequently writes about is spending on mitigation and recovery, which again does not depend on what caused the problem in the first place.
There are actually a number of reasons why a rational decision-maker may not equally weigh lives lost/costs due to terrorism vs. lives lost/costs of natural hazards.
First, as folks like Slovic and Covello have written extensively about, the public's perception about the risks of terrorism will likely always be inflated when compared to natural hazards due to various risk perception factors such as dread, uncertainty, etc. While I dont think the government has been a very good risk communicator when it comes to terrorism, even with improved risk communication efforts the perception of terrorism risks will likely be inflated.
An essential element of risk management is determining risk tolerances/appetites for the affected stakeholders. The general public's risk tolerance levels for terrorism are much lower than for other types of risks that are perceived to be more natural in origin. As a result, it would be rational to spend more money on preventing a life lost due to terrorism than a life lost due to a car accident. It probably is not appropriate to do a cost-benefit analysis for all government programs b/c of these differing risk tolerance levels.
Further, the secondary/tertiary/indirect impacts of terrorism are typically much greater than those of a similar scale natural hazard. A terrorism attack that kills 100 people can cause widespread fear that has major impacts on local/regional/national economies. A 100 people killed in various traffic accidents does not have that same effect.
@ DHS RiskGuy,
"A terrorism attack that kills 100 people can cause widespread fear that has major impacts on local/regional/national economies. A 100 people killed in various traffic accidents does not have that same effect."
Which is just one reason I wish people would stop comparing traffic injuries/deaths to that of terrorism.
Nearly all traffic injuries/deaths are preventable the majority are not accidents but system failures and should be seen as such. Therefoe they are not in the slightes "natural" but "non-natural" events.
As system failures they are sufficiently frequent and well known to be easily analysed and broadly predictable both for insurance and municipal / civic planning.
As risks these system failures are very well catagorised and proven technology exists to reduce them to near negligable levels.
And due to their frequency we regard them as "normal" not "extrodinary" and thus have a very distorted view of them.
If you must have a "natural" to "non-natural" comparison pick something like lightning / tornado strikes where the numbers of deaths and injuries are closer, as are the infrastructure loss costs.
Also perhaps surprisingly the costs of personal / infrastructure protection are somewhat similar as well and have similar downsides.
Our false perceptions of terrorist risk and our inability to model it are two major issues as to why we have not realy moved forward since the WTC and London events.
Perhaps the recent financial crisis will force us to re-evaluate as we cannot afford to spend on both unless of course the federal reserve turns on the printing presses to create inflation at the electorates expense...
Is it me or is there something wrong with,
"in fact, since September 11, international terrorism has killed only a few hundred people per year around the globe, as John Mueller points out in Overblown. At the current rates, Mueller argues, the lifetime probability of any resident of the globe being killed by terrorism is just one in 80,000."
As far as I can tell the following information is reasonably accurate (but your mileage...).
According to the US Pop Clocks the current world population is just under 6.758E9 people of which 0.306E9 are in the US. (http://www.census.gov/main/www/popclock.html)
The world avarage life expectancy at birth in 2008 is given by a number of sources as 66.12 years and that for the US is 78.06.
Due to the way deaths are usually reported (as a rate normalised to population normalised against...) you get strange figures like 8.9/1000, not the actual number which is not helpfull. And it can be skewed quite heavily by the birth rate (which varies from 1.1-8 / woman depending on which country you are in). All of which makes calculating the odds of death by terrorism harder than it should be.
But as a quick and dirty aproximation
Anual Deaths = population / life expectancy.
Which for the world would be 6.7E9/66.12 ~1E8
And for the US 3E8/78 ~4E6
However the figures for terrorist related deaths and injuries are a little more straight forward. In its annual counterterrorism report last year, the US state department said the number of people killed or injured in terrorist attacks in 2007 jumped to 67,000, up from 59,000 the year before. About 60% of those occurred in Iraq.
Deaths had increased to over 22,000 up ~9% on the previous year (20872 to 22685), which likewise had been 40% up on the year before, mainly due to muslim deaths (~50%) in Iraq, Pakistan etc. But importantly due to the way the state department defines terroism deaths, it did not include those in Palestine (killed by IDF) but did include deaths in Israel caused by Hamas.
So with ~1E8 anual deaths of which ~2E4 are due to terrorism I make that's odds of ~5E3.
However with ~50% being in what most would regard as "countries at war" that brings the figure to 1E4 or 1:10,000.
The figure for terorism related deaths in 2007 in the US is an open question partly due to the way the state department defines terrorism deaths and also as people are still dying due to the effects of 9/11. So a meaningfull figure is not possible.
Go figure the odds for yourself but "a few hundred deaths" and a chance of "just one in 80,000" are quite a bit of the mark by my reconing...
@Fed Tech: "...but changing how DHS functions based upon the original premise it was developed under."
Or perhaps changing the original premise, which was perhaps flawed.
DHS was created as an amalgam of many existing agencies, as a political response to the "SOMEBODY'S GOTTA DO SOMETHING!" public mentality after 9/11. A major disaster with major public concern needed major headlines, and creating a huge new Federal bureaucracy filled the bill.
Problem is that it really did not add value, in fact if anything it detracted. It created window dressing and security theater, without eliminating the interagency politics (well, ok, it eliminated some inter-agency politics by making them intra-agency politics, but left other examples in place). It did nothing to eliminate the silos and political correctness filters that permeate the official establishment. It simply sucked resources and created a twelve hundred pound gorilla to dominate the discussions for better or worse.
Perhaps we would be better to eliminate DHS as a separate entity, or at least cut it down to an appropriate size. Return agencies such as the Coast Guard and the Secret Service and Customs and Plum Island Animal Disease Center to their original status. Reassign the DHS fusion function to the NSC.
One last change, require all employees and contractors to be US citizens. It would be very interesting to learn how many TSA and other security screeners are non-citizens.
All DHS employees and contractors are US citizens. It is a legal requirement. Also, how does reassigning USCG to DOT improve anything?
@Clive - I agree that it doesnt make much sense to compare deaths due to terrorism and deaths due to more ordinary accidents. I was disagreeing with Ash who was saying that we should compare them.
""To me, existential is a threat that shakes the core of a society's confidence and causes a significant and long-lasting line of damage to the country," he replied. "
Lordy, Chertoff is a Bush-quality imbecile. An existential threat is a threat to one's existence, not just a threat to one's self confidence. Is Belgium an existential threat because they have a longer life-span than us?
If you're not being over-run by a Mongol horde, you're not under an existential threat. Case closed.
@kangaroo - actually Chertoff is one of the smarter people I have come across. Not too many imbeciles graduate magna from HLS.
Anyways, he did not say a "threat to one's self-confidence." He said a threat that shakes the core of society's confidence. Obviously two completely seperate things.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.