Schneier on Security
A blog covering security and security technology.
« Laissez-Faire Access Control |
| Is Antivirus Dead? »
November 9, 2009
John Mueller on Zazi
I have refrained from commenting on the case against Najibullah Zazi, simply because it's so often the case that the details reported in the press have very little do with reality. My suspicion was, that as in in so many other cases, he was an idiot who couldn't do any real harm and was turned into a bogeyman for political purposes.
However, John Mueller -- who I've written about before -- has done the research:
Recalls his step-uncle affectionately, Zazi is "a dumb kid, believe me." A high school dropout, Zazi mostly worked as doughnut peddler in Lower Manhattan, barely making a living. Somewhere along the line, it is alleged, he took it into his head to set off a bomb and traveled to Pakistan where he received explosives training from al-Qaeda and copied nine pages of chemical bombmaking instructions onto his laptop. FBI Director Robert Mueller asserted in testimony on September 30 that this training gave Zazi the "capability" to set off a bomb.
That, however, seems to be a substantial overstatement--not unlike the Director's 2003 testimony assuring us that, although his agency had yet to identify an al-Qaeda cell in the U.S., such unidentified entities nonetheless presented "the greatest threat," had "developed a support infrastructure" in the country, and were able and intended to inflict "significant casualties in the US with little warning."
An overstatement because, upon returning to the United States, Zazi allegedly spent the better part of a year trying to concoct the bomb he had supposedly learned how to make. In the process, he, or some confederates, purchased bomb materials using stolen credit cards, a bone-headed maneuver guaranteeing that red flags would go up about the sale and that surveillance videos in the stores would be maintained rather than routinely erased.
However, even with the material at hand, Zazi still apparently couldn't figure it out, and he frantically contacted an unidentified person for help several times. Each of these communications was "more urgent in tone than the last," according to court documents.
Clearly, if Zazi was able eventually to bring his alleged aspirations to fruition, he could have done some damage, though, given his capacities, the person most in existential danger was surely the lapsed doughnut peddler himself.
As I said in 2007:
Terrorism is a real threat, and one that needs to be addressed by appropriate means. But allowing ourselves to be terrorized by wannabe terrorists and unrealistic plots -- and worse, allowing our essential freedoms to be lost by using them as an excuse -- is wrong.
I'll be the first to admit that I don't have all the facts in any of these cases. None of us do. So let's have some healthy skepticism. Skepticism when we read about these terrorist masterminds who were poised to kill thousands of people and do incalculable damage. Skepticism when we're told that their arrest proves that we need to give away our own freedoms and liberties. And skepticism that those arrested are even guilty in the first place.
The problem with these arrests is that the crimes have not happened yet. So these cases involve trying to divine what people will do in the future. They involve trying to guess as to people's motives and abilities. They often involve informants with questionable integrity, and my worry is that in our zeal to prevent terrorism, we create terrorists where there weren't any to begin with.
It follows that any terrorism problem within the United States principally derives from homegrown people like Zazi, often isolated from each other, who fantasize about performing dire deeds. Penn State's Michael Kenney has interviewed dozens of officials and intelligence agents and analyzed court documents, and finds homegrown Islamic militants to be operationally unsophisticated, short on know-how, prone to make mistakes, poor at planning, and severely hampered by a limited capacity to learn. Another study documents the difficulties of network coordination that continually threaten operational unity, trust, cohesion, and the ability to act collectively. And the popular notion these characters have the capacity to steal or put together an atomic bomb seems, to put it mildly, as fanciful as some of the terrorists' schemes.
By contrast, the image projected by the Department of Homeland Security continues to be of an enemy that is "relentless, patient, opportunistic, and flexible," shows "an understanding of the potential consequence of carefully planned attacks on economic transportation, and symbolic targets," seriously threatens "national security," and could inflict "mass casualties, weaken the economy, and damage public morale and confidence." That description may fit some terrorists--the 9/11 hijackers among them. But not the vast majority, including the hapless Zazi.
EDITED TO ADD (11/9): This is the Michael Kenney paper that Mueller cites.
Posted on November 9, 2009 at 12:15 PM
• 36 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
It must be tough to "know" when to pull the trigger on an investigation such as this. I suppose it all depends on the mission of law enforcement and the risks of letting the plot continue to execution. I don't know for sure just what the mission is of the FBI in these cases, but I'm sure that at some point protection (a protective control) trumps prosecution (a corrective control).
Before everyone starts wetting themselves about the TSA, or the Patriot Act, or the NSA wiretapping basically everybody, let's first ask ourselves this:
Is there any doubt that this nutjob would have kept trying? And is it totally outside the range of possibility that he eventually would have succeeded? No?
I think we learned a lesson last week about allowing loudmouthed nutjobs to spout off without at the very least taking a closer look, before they try something stupid and obviously unworkable like taking a handgun and a pocket full of ammo into a miliatry base and popping off into the crowd.
I see two issues here:
1) Should the FBI/CIA/DHS stop people like Zazi, put them on trial, and (if convicted) send them to jail? Yes. They're criminals.
2) Should the FBI/CIA/DHS use cases like this to "prove" that we're under constant attack and need to allow more surveillance? No. Even if not caught, all of the US "terrorists" since 9/11 were far more likely to kill themselves than successfully pull of an attack.
But don't you propose exactly this sort of policing as the solution to terrorism, rather than, say, endpoint security? In that world that you support, most successes are going to be like this. Any suicide bombers are going to be people who are, at least in some important respect, incapable of thinking clearly.
What Kevin said.
The prosecuting is not the problem (though entrapment by police informants apparently can be). The problem is the fearmongering that is going on in ADDITION to reasonable prosecutorial actions.
A terrorist wanna be tried to detonate a van full of explosives 6 blocks from where I sit using a cell phone detonator.
While whether or not he could have pulled it off without the help of the co-conspirator, who was actually an undercover agent, will never be known. However, the following facts are known:
1. He wasn't picked at random, he was targetted because of activities he was engaging in.
2. The undercover agent gave him ample opportunity to withdraw from the plot, and he was determined to move forward.
3. He was not arrested until he actually called the cell phone number that was to detonate the explosives.
This is a difficult problem to solve. Of course, some of the changes to the law made conspiring to commit acts of terror a crime, not just the act of terror itself. In those terms, it makes sense. We never charge someone with attempted speeding or conspiring to speed because it is a minor crime. However, we do charge people with attempted murder or conspiracy to commit murder because the crime is so vile and irreparable that merely plotting to do it is enough to warrant severe punishment.
I see terrorism the same way. It is illegal to conspire to commit an act of terror, as it should be. The burden should then be on the authorities to prove beyond a reasonable doubt that the suspect was, indeed, conspiring to commit an act of terrorism. At this point, whether or not it would have worked is not really rellevant. Just because you weren't smart enough to turn the safety off on the gun before pulling the trigger doesn't mean pulling the trigger with intent to kill wasn't a crime, so to speak.
@Henning: "The prosecuting is not the problem (though entrapment by police informants apparently can be)."
I agree. The authorities must tread carefully to prove conspiracy and intent without entrapping. Not always easy, but giving the suspect ample chance to bail and not over guiding them should be standard practice.
I want to clarify something in my above post about "conspiring to commit terrorism." I'm not talking about people who fantasize about it or cheer it, as horrid as that is. I'm not for prosecuting such thought crimes or misguided cheerleading any more than I am for prosecuting some idiot who gets mad at his wife and says "I could just kill or" or for prosecuting feminists who cheered lorena bobbitt.
Conspiring to commit terrorism, like conspiring to commit murder, is an act, not a fantasy or a celebration. It may be tough to prove what they actually would have done, but it definitely involves action, not thought. It's similar to rigging a bomb to explode when one starts their car--you don't have to prove he knew how to wire it right in order to prove a crime was committed. Same concept.
But I wanted to be clear that people fantasizing about committing evil or cheering on people who do is not what I mean by conspiracy. All crime should involve action, even if that action doesn't go as far as the perp wanted.
"I think we learned a lesson last week about allowing loudmouthed nutjobs to spout off without at the very least taking a closer look, before they try something stupid and obviously unworkable like taking a handgun and a pocket full of ammo into a miliatry base and popping off into the crowd."
I guess you don't spend much time reading around here.
That EXACT approach has been described here MULTIPLE times. And it is almost impossible to stop. And it works even if it is at an airport (during Thanksgiving rush) or a mall (during the Christmas rush).
It's a good thing he's in protective custody from himself or he would have eventually succeeded in blowing himself up.
@readams: This "damned if you do, damned if you don't" sort of conclusion is typical at this blog. It would be nice to have Bruce weave his opinion needle more consistently, but won't hold my breath.
@Frank Ch. Eigler: "damned if you do, damned if you don't"
I agree with that. I respect Bruce and much of his opinions, and I do agree with much of his writings about inefficiency and theatre, but I do think that hindsight bias is very problematic here. I can usually count on two things:
1. If something is not prevented, the day would have been saved by doing x, y and z.
2. If something is prevented using x, y and z, it is downplayed, dismissed, called a 'movie plot', etc.
In both circumstances, everyone seems to know what to do. after the fact, of course.
If Zazi would have killed a bunch of people, the very same evidence that is dismissed here would be viewed much differently.
Excuse me here, But there seems to be some overlooked discrepencies in all this. As to what is here stated:
>"Zazi is "a dumb kid, believe me." A high school dropout, Zazi mostly
>worked as doughnut peddler in Lower Manhattan, barely making a living.
>Somewhere along the line, it is alleged, he took it into his head to set off a
>bomb and traveled to Pakistan where he received explosives training from
>al-Qaeda and copied nine pages of chemical bombmaking instructions onto
Such as how is a person with the lack of certain qualities normally assoiated with doing great (or evil) deeds manages to do even that he is said to have done. I do believe that it would cost quite a few $'s just in the travel alone. And unfortunately far too many "normal conmputers", who finished at least (US) High School, (perhaps not here however) still have difficulties with "Copy" and "Paste". "Nine pages of Chemical Bombmaking", and had an understanding of the material to be a threat. More than a few Under Grads might have trouble in that, and this kid is listed as a "High School Dropout".
>"he could have done some damage, though, given his capacities, the person
>most in existential danger was surely the lapsed doughnut peddler himself."
Any dammage could have had serious consequenses if in the wrong place at the wrong time, and not only to himself, but anyone else within a range effective relative to whatever he was cooking up.
The publics lack of confidence in this character (Zazi) does not fit his real profile or actions. The wanted negative perceptions are quite simply an effort to placate a neverous public. -or- Some-one explain please. -d
(John) Mueller's central point doesn't stack up. He seems to be saying that because Zazi wasn't able to receive local technical support in his terroristic endeavours, this is counter-evidence to the claim by (Director) Mueller of the FBI that al-Qaeda had "developed a support infrastructure" in the US.
It may be that Director Mueller was wrong or overly cautious in making that statement, but the Zazi case provides no evidence of that, for two fairly obvious reasons:
1. If al-Qaeda does still have such assets in the US, they might not make them available to the Zazis of this world, lest they be exposed. Rather, give a Zazi enough information to do it himself, and leave him to his own devices; if he fails, no-one cares, if he succeeds in creating any sort of havoc, that's a positive result for al-Qaeda; and
2. Over 6 years have passed between the FBI making that assessment, and the Zazi case. Quite a few alleged or convicted Islamist terrorists have been arrested in the meantime. For example, Director Mueller was speaking not long after the arrest of James Ujaama, and before the arrest of Abu Hamza al-Masri. Ujaama testified that he had helped al-Masri to establish a terrorist training network in the US. Again, when Director Mueller made those comments, the "Virginia Jihad Network" investigation was in high swing, members of which had just spent tens of thousands of dollars purchasing body armour, NVGs and UAVs. Khalid Shaikh Mohammed (the chief planner of 9/11) was still at large, had just masterminded another bombing in Indonesia, and was known to still have agents in the US (some of whom have since been arrested and convicted.)
"I agree with that. I respect Bruce and much of his opinions, and I do agree with much of his writings about inefficiency and theatre, but I do think that hindsight bias is very problematic here."
Yes, you do tend to say that. Yet you have never been able to produce any support for that statement.
Meanwhile, example after example has been provided on specific items for you.
Example, taking off your shoes at the airport. When the exact same amount of that explosive can be hidden just about anywhere on your body.
"... to be operationally unsophisticated, short on know-how, prone to make mistakes, poor at planning, and severely hampered by a limited capacity to learn."
Um, was he referring to would-be terrorists, or would-be winners of a self-described "War on Terrorism"?
@Brandioch: "Example, taking off your shoes at the airport. When the exact same amount of that explosive can be hidden just about anywhere on your body."
I'll respond to this part first, since you can't really support what you've said, since I think taking the shoes off is a dumb policy and have said so many times. Understanding how the risk is bigger for them when multiplied by two million travelors a day does not mean I agree with it.
Insofar as the hindsight bias, it's my observation at times. I'm not going to bother to try to prove it. There is no good way to measure it. It's impossible for us here it know that Zazi wouldn't have killed anyone if it weren't for the events discussed, just as it's impossible for us to know what would have happened if 9/11 would have happened differently.
Agreed. If they had stopped the 9/11 plotters ahead of time, would we be reading a blog post ridiculing a plan that involved a bunch of highschool dropouts hijacking multiple airliners using only box cutters?
Or if they had discharged Malik Hasan, we'd be accusing the Army of religious discrimination....
Damned if you do, damned if you don't.
As much as everyone here likes to think they have all the answers, I posit that most people reading this should be glad they don't have jobs where life and death decisions are made.
@Sam: "If they had stopped the 9/11 plotters ahead of time, would we be reading a blog post ridiculing a plan that involved a bunch of highschool dropouts hijacking multiple airliners using only box cutters?"
We'd also be reading news stories about the treatment of innocent Muslims whose "crimes" were taking flight lessons.
If we'd stopped the 9/11 hijackers ahead of time it is very likely that the United States would still smugly believe that any terrorist plot of that magnitude is patently impossible to carry out on American soil.
Should the FBI/CIA/DHS use cases like this to "prove" that we're under constant attack and need to allow more surveillance? No. Even if not caught, all of the US "terrorists" since 9/11 were far more likely to kill themselves than successfully pull of an attack.
Note that not all terrorists are part of some complex conspiracy nor are all terrorists "Islamic". (Including some which involve criminal conspiracies). There are also plenty of criminal conspiracies which have nothing to do with terrorism. (Fraud probably being a far more common motive here.)
Is there any actual evidence that mass "surveillance" is actually much use for catching criminals.
Zazi is a stool pigeon, he was handed to US on a silver platter by Pakistani ISI.
They set him up and then let FBI create the hoolpa, the rationale is very simple - It was Pakistani government showing their support in war-on-terror as the $7.5B Kerry-Lugar bill was getting approved!
Of the "damned if you do, damned if you don't" idea, the key is assessing the actual risk of the scenario abstracted from this specific incident, and then weighing that risk against what preventative measures can be brought forward.
If we'd caught the hijackers for 11/9/2001, then we'd need to ask whether that'd be an effective method and what reasonable measures could be taken to prevent it. Maybe we'd get it right and say it could be done, maybe not, but taking away weapons is fairly reasonable either way. Or reinforcing the cockpit doors.
@Zith: "If we'd caught the hijackers for 11/9/2001"
I can imagine the headlines and ridicule if the 9/11 hijackers would have been caught, and then the authorities argued that they stopped 19 men with box cutters from destroying the twin towns, damaging the pentagon, and killing 3,000 people.
We would probably of had a "9/10 Commission" on the treatment of Arabs whose "crimes" were taking flight lessons and being Muslim, instead of the "9/11 Commission" on the failure to connect the dots.
If anybody is interested in the UK's reaction to terrorism, Law in Action interviewed Sir Ken Macdonald on his time as Director of Public Prosecutions for England and Wales when government policy focused on tackling terrorism.
"He says that a need to be seen to be doing something fuelled a lot of the government's criminal and terror legislation during his time as DPP.
He says that there has been far too much legislation and believes the next parliament could do well to "back off, calm down, and leave criminal justice alone for a while"."
I would argue that the US should follow similar advice; but the 'need to be seen doing something' will be too pervasive.
@uk visa: "I would argue that the US should follow similar advice; but the 'need to be seen doing something' will be too pervasive."
I would agree for the most part. Tragically, and what is perhaps a fatal flaw in many representative governments, is that people get elected and reelected (or more specifically, defeated for reelection) based more on perception than reality. And since it is impossible for a couple hundred million people to be experts and/or educated in every issue, perceptions tend to trump reality.
A Columbine/Fort Hood style killer is a lot more difficult to detect/stop than someone planning to use explosives. It's not that far reaching to believe that if these terrorists were in America and willing and ready to act, that they would already have been attacking schools instead of airports.
"I'll respond to this part first, since you can't really support what you've said, since I think taking the shoes off is a dumb policy and have said so many times."
Well then I'm sure that you'll be able to easily provide an example of something you think is a "good" policy that others here would disagree with.
"I'm not going to bother to try to prove it."
Which is exactly what I said. You can make all the claims you want, but when it comes to supporting them, you cannot.
And that is the way it will always be.
Okay genius, since when does someone saying they see some hindsight bias require proving it? Especially considering it is impossible, even for a super genius like you, predict the future.
Why don't you enlighten us on how you predict the future. What proof do you have as to what Zazi would have done if they left him alone?
I support my opinions just fine, you just disagree with them, whicn is your right. But instead of disagreeing, you insult. Considering you can't do what you are demanding I do, because it is IMPOSSIBLE, you really don't have any room to be such a condescending ass.
@derf there are tons of way one could damage infrastructure with relatively cheap and available items, it would be enough having some grams of brain. (popping out fuel truck on highways, try yo stop _that_)
Then again real threats are most likely to be stopped well before becoming real damage.
"Okay genius, since when does someone saying they see some hindsight bias require proving it?"
You've made a statement that you cannot support.
"Why don't you enlighten us on how you predict the future. What proof do you have as to what Zazi would have done if they left him alone?"
Why don't you reference what I've said about him, first?
"I support my opinions just fine, you just disagree with them, whicn is your right."
No, you do not. As shown in the first sentence of your post:
"Okay genius, since when does someone saying they see some hindsight bias require proving it?"
You claim that you support your statements and then you claim that you don't have to support your statements.
It doesn't work like that. Support your claims.
Conner, I'm withdrawing from this. We're both being immature, and I don't want banned from this blog.
To answer your question about shoes at airports, i've commented on that several times (hint: i agree with you that it's a wasted policy). I'll be glad to discuss any issue when it is on topic, but I'm done with this here. But I'm not going to bicker with you on a personal level any more.
"Most serious"? Someone's got to be kidding. If the guy couldn't put a bomb together, then its chances of exploding it were precisely nill. NILL. NADA. ZILCH.
No, seriously, the US is under attack from its banking sector, not from disaffected Muslims. Disaffected Muslims - allegedly in Afghanistan - brought down the Twin Towers. The US's own unregulated banking sector destroyed its economic standing. The US is now a financial dependency of the People's Republic of China.
Meanwhile, the various spy agencies are using this sort of theatre to enlarge their theatres of operation, their surveillance of ordinary citizens, and their claim to an every increasing share of the budget in a time of austerity.
Cui bono? And, "a drowning man never asks for his rescuers' credentials before he is rescued."
Anyone want to speculate that the "unidentified person" he "frantically contacted" was a sleazy paid FBI informant that put him up to the whole thing from the start? Wouldn't be the first time
'"unidentified person" he "frantically contacted"'
The fact that the person is "unidentified" makes them an agent or officer of some kind be it proffesional or not.
The question is where they renumerated or not be it directly (cash in hand) indirectly (insider market investment intel) or in kind (reduced sentence or blind eye etc).
If they where then any evidence they provide or (chose not to) is contaminated.
Unfortunatly most investigations be it criminal or other wise where there is not a direct suspect, usually invole the suspect being "grassed up" in one way or another.
The problem is why do courts accept the testimony of what are effectivly "straw men".
The argument that they are subject to laws on perjury is just not sufficient these days as more and more people are found inocent of crimes they have been falsly accused of.
Just because he is a stupid terrorist doesn't mean he is not a terrorist and not a threat. Not sure what your point is, Bruce. The "spooks" were right to take the guy down and pursue his affiliates. This case looks like an intelligence success to me...the IQ of the perp is a side question, insubstantial to the core issues.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.