Schneier on Security
A blog covering security and security technology.
« Epsilon Hack |
| Optical Stun Ray »
April 6, 2011
Counterterrorism Security Cost-Benefit Analysis
"Terror, Security, and Money: Balancing the Risks, Benefits, and Costs of Homeland Security," by John Mueller and Mark Stewart:
Abstract:The cumulative increase in expenditures on US domestic homeland security over the decade since 9/11 exceeds one trillion dollars. It is clearly time to examine these massive expenditures applying risk assessment and cost-benefit approaches that have been standard for decades. Thus far, officials do not seem to have done so and have engaged in various forms of probability neglect by focusing on worst case scenarios; adding, rather than multiplying, the probabilities; assessing relative, rather than absolute, risk; and inflating terrorist capacities and the importance of potential terrorist targets. We find that enhanced expenditures have been excessive: to be deemed cost-effective in analyses that substantially bias the consideration toward the opposite conclusion, they would have to deter, prevent, foil, or protect against 1,667 otherwise successful Times-Square type attacks per year, or more than four per day. Although there are emotional and political pressures on the terrorism issue, this does not relieve politicians and bureaucrats of the fundamental responsibility of informing the public of the limited risk that terrorism presents and of seeking to expend funds wisely. Moreover, political concerns may be over-wrought: restrained reaction has often proved to be entirely acceptable politically.
Posted on April 6, 2011 at 6:03 AM
• 34 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
about time someone considered the CBA on terrorism.
too bad politicians must use fear to stay in office and "keep up with the joneses".
FINALLY!!!! Of course, this won't change a thing. The politicians are either sending money to cronies or doing CYA just in case somebody else tries to ignite their sneakers on a flight again. :(
About time? nothing new here ...
I really don't think there is dubious intent, just improper incentives.
First, governments don't pay enough attention to cost/benefit since there isn't much in the way of consequence. Unlike private business, governments don't go out of business over debt or excessive costs.
Second, part of it is the unfortunate nature of politics. Most people don't notice a trillion dollars being wasted on risk that is not proportional to the cost. However, everyone hears about it when one person tries to ignite something. Take airline travel for example, the TSA screens about 750 million passengers a year, which adds up to about 7 trillion since 9/11: one incident gets more publicity than $1 trillion dollars wasted.
The key to this, as with anything, is to put everything in perspective and line up the incentives accordingly. Politics aside, one reason I'm inclined to be for a balanced budget amendment is it would limit the power of government entities.
To put it in ridiculous terms, let's say every life is worth $1M. 9/11 was then a life loss of ~$3B. We could have three 9/11s a month for the last decade (3*12*10*$3B ~ $1T) and just be breaking even. WTF?
@No One: To put it in ridiculous terms, let's say every life is worth $1M. 9/11 was then a life loss of ~$3B. We could have three 9/11s a month for the last decade (3*12*10*$3B ~ $1T) and just be breaking even. WTF?
I think part of the problem with measuring life in those terms is the compartmentalization of it. $1 million per one saved life in one area doesn't measure the greater number of lives that same number could have saved in another area.
Plus, as counterintuitive as it sounds, life isn't the only thing of value. If our sole purpose was to save life, we could pass a federal law that cut every speed limit in the country in half. This would no doubt save lives, but it would seriously diminish the quality of life. When put in such illustrations that are commonplace (we deal with vehicular travel), most of us are willing to accept a bit more risk for a bit higher quality of life.
Now, there are limits... few, if any of us, would support doubling speed limits, for example, but when dealing with common risks we are used to, rather than the rare and spectacular that captivate us, most people wouldn't support sacrificing their freedoms and quality of life for them.
Why do these analyses always presume that the proffered reason for the homeland security apparatus is the real or only one? Sure, gov wants to show that they tried their best in the event of a sucessful attack. But the TSA is an effective tool in bending the population into mindless compliance with ineffective and unevenly applied rules operated with close to zero accountability. The scare tactic that a complaint against TSA may put you on the no-fly is an effective one too.
If that sounds cynical, note all the reports in the last year indicating that the Gitmo regimes were intended to get false confessions (to support the war). That was the main product of the program; useful intelligence a mere bonus.
Unfortunately there are too many people that believe the cost is always justified by being "safe." Diminishing returns, CBA, and anything that involves "facts" or "numbers" is seen as inhuman and cold to a great number of people. By that I mean a great number of voters.
Every time I have a discussion about the ridiculous spending on security theater, I ask its defendant what their extreme is. If they do not believe we are being ridiculous, at what point do they think we will be ridiculous? So far everyone agrees that stripping passengers and chaining them in crates is going too far for security, so at least there's a bit of common ground.
Then again, that would be a whole lot cheaper.
@HJohn Take airline travel for example, the TSA screens about 750 million passengers a year, which adds up to about 7 trillion since 9/11: one incident gets more publicity than $1 trillion dollars wasted.
750M * 10 = 7.5 Billion not 7.5 Trillion
This assumes that the primary goal is *not* to dump the limitless public coffers into a few connected private sector pockets.
It is all about greed. Long ago it was determined that war produces two outcomes: change and making money. The change is to put more people under control of a few and making money is the result. Even if you eliminated all the wars and those running them, it doesn't take a decade to get back to the same old same old.
@oc: "750M * 10 = 7.5 Billion not 7.5 Trillion"
You are correct. Honest mistake. Thanks for pointing it out.
As other posters have noted - follow the money.
More specifically, trace the connection between what politician pushes for what product and who is on the payroll of the company producing that product.
It's not about security, it's about money and control. Arguably, OBL and 9/11 have done far more for the US "security" and fear mongering industry than anyone else in history. If the same rules applied as in the banking industry, OBL would now be ranking on top of the biggest bonuses list rather than be on the FBI's most wanted list, irrespective of what he had done.
I guess the industry's way of thanking him is that ten years and one trillion dollars further he's still on the loose. IMHO this can only mean two things: incompetence or intent.
@Dirk Praet: I guess the industry's way of thanking [OBL] is that ten years and one trillion dollars further he's still on the loose. IMHO this can only mean two things: incompetence or intent.
That's quite a serious allegation.
It is apparently well known in the intelligence community that there are certain members of the Pakistani ISI who are quite aware of where bin Laden is, at least in general terms if not day to day.
But the CIA can't find him. With literally billions of dollars in SIGINT, satellite imaging, tons of spies on the ground in Pakistan (until a hundred or so got kicked out after the Davis incident - which probably leaves hundreds more still around), and enough money to bribe God no matter how fanatical a Muslim you are, they can't find him for ten years.
Once again, my standing offer: Pay me one billion dollars in advance and I will capture bin Laden - alive or dead, your choice (but dead is easier) - within ninety days. And I'll probably make a nine hundred million dollar profit doing so.
No takers? Must not want him very bad. Oh, wait, George Bush already admitted that years ago.
Bush: ""We will do everything we can to stop [bin Laden] here at home, and we're doing everything we can to hunt him down and bring him to justice"
Bush: "Well, as I say, we haven't heard much from him. And I wouldn't necessarily say he's at the center of any command structure. And, again, I don't know where he is. I -- I'll repeat what I said. I truly am not that concerned about him."
@Richard Steven Hack: Bush: "I truly am not that concerned about him."
I took that comment with a grain of salt (and a slice of lime and a shot of tequilla). I think he was more playing a mind game with OBL, banishing him to the irrellevant, hoping he'd come out to try to assert himself and mess up. He was also saying things like "he used to rule an army, now he is just ruling a cave." He's quote you mentioned and the one I mentioned were both from 2004, because I remember thinking "yeah, it's an election year, I'm sure he'd like to present OBL's carcus on a slab in October." He talked about him in dismissive terms quite a bit for someone who had claimed to not think about him.
That isn't a partisan point. I have no doubt President Obama would like to take him out by election day too.
But I do agree it is shameful OBL's still breathing.
@Richard Steven Hack
"I can find and kill bin Laden in 90 days if I had 1 billion dollars, and probably only use 1/10th of that."
The fact that you have no takers goes to the fact that no one will take you seriously, rather than evidence that they don't want him dead.
History is replete with people staying alive that others wanted dead. High-tech wizardry is less effective against a low-tech target, and if he's surrounded by people who are willing to die for him, why would a bribe be attractive to them?
To the point being discussed, yes, it would be great if the government did better risk assessment and CBA for security expenditures, but we're only going to get so far with that effort. We can always hope to make progress on that front, but we won't ever get the correct 1:1 ratio of expenditures to risks for two reasons.
First, the government is the government, which means that they will pay a lot of attention to a (publicly)perceived risk even if it isn't as high as other risks. Secondly, we're all humans. I believe we tend to be technical/analytical thinkers here on this list, but we can't expect other people to not react emotionally to risks, nor are we immune to those same feelings. I know my risk of dying from terroristic actions is extremely low, but watching people jump out of burning buildings is a searing experience for anybody.
@Rookie at April 6, 2011 3:14 PM
I think you make a good point. I also don't think the underlying motives are as dubious as some people ascribe.
I have zero fear of being the victim of terrorism. I estimate my risk at about one in a million for an attempt, and one in a billion for a success (obviously, this is a figure of speech). But, TSA for example, screens 2 million passengers a day, and about 1 billion every 16 months. One in a million or one in a billion for them is much different than for us, especially since they get more grief over one incident than over a trillion wasted dollars.
Leaving TSA aside, as it is only one of the strategies, the risk does look different for those responsible for counterterrorism when they are dealing with hundreds of millions of potential victims.
I'm by no means justifying their methods or waste, but given the amount of resources they are given, the incentives are behind them coverying their rears as much as possible. Which is why I think they need cut to force them to assess risk more efficiently.
@HJohn: "I really don't think there is dubious intent..."
We're talking about a massive federal government bureaucracy. Of course there is dubious intent. Why did body scanning plans quickly progress from having one scanner at each major airport for secondary screening to having scanners at major airports for primary screening to having multiple scanners at every airport for primary screening? Because ex-TSA administrators are top dogs in the two companies selling body scanners and because the CEO of one company bought his way into Obama's favor (and was invited to accompany the President on his India and Indonesia trip).
Homeland Security is the biggest waste of taxpayer dollars since the creation of the Department of Education, and it is the biggest jump in federal powers since the creation of the DEA. We have a war on drugs and a war on travelers. Both the DEA and the DHS spend tens of billions of dollars a year, and both cause more problems than they solve.
@Dan - " cost is always justified by being "safe."
Taking nose hair clippers off passengers $1Tn
Having a second air traffic controller in Washington in case one locks himself out of the tower - priceless
@HJohn: A one-in-a-million chance, taken a million times, will happen 63% of the time (assuming my Calc-fu is accurate). So that's one attempted attack every two to three days... do nail files count?
I know those numbers were just figures of speech, but perhaps we need some better figures of speech (one-in-a-quadrillion is a bit of a mouthful...)
3,000 deaths every 10 years over a population of 300,000,000 people means a chance of death of 1 in 1,000,000 (per year--I think). I'm not worried. I can concern myself with more common ways to die.
@HJohn "I think he was more playing a mind game with OBL, banishing him to the irrellevant,"
Then they really shouldn't have committed 'war on global terror-that-is-groups-who-use-terror-that-we-don't-agree-with-and-non-Islamic-based-terror-organizations.'
OBL wanted to engage with the US in combat in Afghanistan so he could win the same victory (he thinks) he won against the Soviets. Declaring war instead of treating them like the criminals they are is what legitimized him. America failing to make an end to OBL after declaring war fed his legend and did more for AL Queda recruiting than any of the terror acts they perpetrated.
Two mistakes. Declaring war, failing in ending the principal agent of that war. That's when Bush&Co started to denigrate the importance of OBL.
Am I missing something? Where are digital certificates in all of this? I agree that the trust model is inherently flawed, but...
"That's quite a serious allegation."
History will tell. There may of course also be political reasons where OBL is being left alone as part of a deal with the Pakistani government in fear of being overthrown by a popular uprising should they extradite him to the West, leaving behind a rogue fundamentalist state with nuclear arms. But in which case we're all being lied to. Not even that far-fetched, and exactly what the Julian Assange's of this world are trying to expose.
On the subject however, it would seem to me that in a democracy a government is accountable for the way the taxpayer's money is spent. Any objective CBA can only come to the conclusion that there is a huge gap between the actual threat and the means spent over it, and this without even taking into account the efficiency of it all and the erosion of civil liberties. The only reason this could be pulled off is because of the ease of marketing with the general public of a topic as sensitive as terrorism, and the ongoing fear mongering to prevent people from taking a logical view on the matter. I have said it before, and I'll say it again: it is beyond me that the children and grand children of a proud people that liberated Europe from the nazis for all practical purposes is allowing itself to be reduced by its own government to a nation of paranoiacs and defenseless sheep scared out of their wits by a bunch of - mostly incompetent - fundamentalist religious fanatics.
@ Dirk Praet
"I have said it before, and I'll say it again: it is beyond me that the children and grand children of a proud people that liberated Europe from the nazis for all practical purposes is allowing itself to be reduced by its own government to a nation of paranoiacs and defenseless sheep scared out of their wits by a bunch of - mostly incompetent - fundamentalist religious fanatics. "
Pretty well said.
I think the problem is that the "liberation of Europe" was two generations ago now. Most people (UK and US) have never experienced the genuine hardships of war so are much more open to being scared of it and because we have never lived without civil liberties, we dont realise how important they are.
(yes, this is a massive generalisation)
Rookie: "The fact that you have no takers goes to the fact that no one will take you seriously, rather than evidence that they don't want him dead."
I can only say "Duh!" to that. Obviously no one is going to take me seriously. I'm making a valid point, however: If you have the resources, NO ONE is invulnerable no matter where he's hiding and who he's surrounded with.
"History is replete with people staying alive that others wanted dead."
Because they didn't want him dead bad enough, obviously.
"High-tech wizardry is less effective against a low-tech target"
I didn't say anything about high-tech wizardry being the sole solution. The resources the CIA has can contribute to the solution. Bribery is very low tech and has been used for centuries to get someone dead.
"and if he's surrounded by people who are willing to die for him, why would a bribe be attractive to them?"
He's also surrounded by a country. And that country has literally MILLIONS of people who, despite their Pashtun culture of hospitality, are also poor as church mice. Trust me, someone who knows where he is will sell him out - if you can find that someone.
bin Laden is very likely NOT in a "cave" of any kind anywhere. He's being supported, he has a retinue of retainers and associates, he has logistics, he has contacts, he has movement. He has ongoing operations of some kind which require all of the above. He's not some survivalist hiding ALONE in the middle of the forests of Canada or the jungles of Brazil or Africa. If he was, you might be right about the odds of finding him. But he's not.
Also, if, as has been reported, there are ISI personnel who know pretty closely where he is, a plan could be devised to extract that information - preferably by some sort of con or intelligence operation, if bribery doesn't work.
I'll reiterate - give me a billion bucks and I'll nail bin Laden simply by doing the obvious things needed to penetrate his organization. Give me less money and it will just take longer because I might have to resort to infiltrating someone into Al Qaeda who I could use eventually to finger him.
As indicated by others above, the US may have political motivations for not finding him. I don't. I'm in it for the money.
You don't trust me to be able to do it - hire the baddest local Pakistani gang who doesn't like him. They'll find him. If they won't turn him over to the US, con them into revealing his whereabouts anyway.
No one on his level is secure. No one. If he's secure, it's because no one is really trying to get him.
bin Laden is one of our government's allies, and he did his job in service of our government quite well, no? Why would they kill him after being best buddies for over 20 years? Even the rest of his family got protection.
@ Richard Steven Hack
"hire the baddest local Pakistani gang who doesn't like him."
May I suggest subcontracting the assignment to some Mexican or Colombian drug kartel ? Chances are fair that when posing as a government agent and promissing them full control over the Afghan heroin traffic, they'll do it for free and you'll get to keep your billion minus some expenses. I thought this was exactly the kind of thing the CIA used to be really good at. Maybe they have just become a gang of pussies (GoP ® ) defending the nation by monitoring free speech activists and playing war games from behind digital screens in Langley, leaving the really dangerous work to the Blackwaters of this world.
This is not about the price of a life saved. It is the price of a face saved, the face of the sole and only super power on Tellus. It is the price the Americans pay to avoid loosing face to any rag-tag band of bad guys. One serious incident per year with an avarage of ten lives lost would rock the foundation of the US self image. One trillion over ten years is the price to preserve that self image.
Consider the cost of the overreaction.
If we always react by wasting a trillion dollars, then it may be worth a trillion dollars to stop another attack.
It's the cost we pay for stupidity.
I asked a former head of the uk's secret intelligence service about the maximum acceptable risk of death due to terrorist attack. I didn't get a straight answer.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.