Entries Tagged "intelligence"

Page 22 of 24

Tactics, Targets, and Objectives

If you encounter an aggressive lion, stare him down. But not a leopard; avoid his gaze at all costs. In both cases, back away slowly; don’t run. If you stumble on a pack of hyenas, run and climb a tree; hyenas can’t climb trees. But don’t do that if you’re being chased by an elephant; he’ll just knock the tree down. Stand still until he forgets about you.

I spent the last few days on safari in a South African game park, and this was just some of the security advice we were all given. What’s interesting about this advice is how well-defined it is. The defenses might not be terribly effective—you still might get eaten, gored or trampled—but they’re your best hope. Doing something else isn’t advised, because animals do the same things over and over again. These are security countermeasures against specific tactics.

Lions and leopards learn tactics that work for them, and I was taught tactics to defend myself. Humans are intelligent, and that means we are more adaptable than animals. But we’re also, generally speaking, lazy and stupid; and, like a lion or hyena, we will repeat tactics that work. Pickpockets use the same tricks over and over again. So do phishers, and school shooters. If improvised explosive devices didn’t work often enough, Iraqi insurgents would do something else.

So security against people generally focuses on tactics as well.

A friend of mine recently asked me where she should hide her jewelry in her apartment, so that burglars wouldn’t find it. Burglars tend to look in the same places all the time—dresser tops, night tables, dresser drawers, bathroom counters—so hiding valuables somewhere else is more likely to be effective, especially against a burglar who is pressed for time. Leave decoy cash and jewelry in an obvious place so a burglar will think he’s found your stash and then leave. Again, there’s no guarantee of success, but it’s your best hope.

The key to these countermeasures is to find the pattern: the common attack tactic that is worth defending against. That takes data. A single instance of an attack that didn’t work—liquid bombs, shoe bombs—or one instance that did—9/11—is not a pattern. Implementing defensive tactics against them is the same as my safari guide saying: “We’ve only ever heard of one tourist encountering a lion. He stared it down and survived. Another tourist tried the same thing with a leopard, and he got eaten. So when you see a lion….” The advice I was given was based on thousands of years of collective wisdom from people encountering African animals again and again.

Compare this with the Transportation Security Administration’s approach. With every unique threat, TSA implements a countermeasure with no basis to say that it helps, or that the threat will ever recur.

Furthermore, human attackers can adapt more quickly than lions. A lion won’t learn that he should ignore people who stare him down, and eat them anyway. But people will learn. Burglars now know the common “secret” places people hide their valuables—the toilet, cereal boxes, the refrigerator and freezer, the medicine cabinet, under the bed—and look there. I told my friend to find a different secret place, and to put decoy valuables in a more obvious place.

This is the arms race of security. Common attack tactics result in common countermeasures. Eventually, those countermeasures will be evaded and new attack tactics developed. These, in turn, require new countermeasures. You can easily see this in the constant arms race that is credit card fraud, ATM fraud or automobile theft.

The result of these tactic-specific security countermeasures is to make the attacker go elsewhere. For the most part, the attacker doesn’t particularly care about the target. Lions don’t care who or what they eat; to a lion, you’re just a conveniently packaged bag of protein. Burglars don’t care which house they rob, and terrorists don’t care who they kill. If your countermeasure makes the lion attack an impala instead of you, or if your burglar alarm makes the burglar rob the house next door instead of yours, that’s a win for you.

Tactics matter less if the attacker is after you personally. If, for example, you have a priceless painting hanging in your living room and the burglar knows it, he’s not going to rob the house next door instead—even if you have a burglar alarm. He’s going to figure out how to defeat your system. Or he’ll stop you at gunpoint and force you to open the door. Or he’ll pose as an air-conditioner repairman. What matters is the target, and a good attacker will consider a variety of tactics to reach his target.

This approach requires a different kind of countermeasure, but it’s still well-understood in the security world. For people, it’s what alarm companies, insurance companies and bodyguards specialize in. President Bush needs a different level of protection against targeted attacks than Bill Gates does, and I need a different level of protection than either of them. It would be foolish of me to hire bodyguards in case someone was targeting me for robbery or kidnapping. Yes, I would be more secure, but it’s not a good security trade-off.

Al-Qaida terrorism is different yet again. The goal is to terrorize. It doesn’t care about the target, but it doesn’t have any pattern of tactic, either. Given that, the best way to spend our counterterrorism dollar is on intelligence, investigation and emergency response. And to refuse to be terrorized.

These measures are effective because they don’t assume any particular tactic, and they don’t assume any particular target. We should only apply specific countermeasures when the cost-benefit ratio makes sense (reinforcing airplane cockpit doors) or when a specific tactic is repeatedly observed (lions attacking people who don’t stare them down). Otherwise, general countermeasures are far more effective a defense.

This essay originally appeared on Wired.com.

EDITED TO ADD (6/14): Learning behavior in tigers.

Posted on May 31, 2007 at 6:11 AMView Comments

The Difficulty of Profiling Terrorists

Interesting article:

A recently completed Dutch study of 242 Islamic radicals convicted or accused of planning terrorist attacks in Europe from 2001 to 2006 found that most were men of Arab descent who had been born and raised in Europe and came from lower or middle-class backgrounds. They ranged in age from 16 to 59 at the time of their arrests; the average was 27. About one in four had a criminal record.

The author of the study, Edwin Bakker, a researcher at the Clingendael Institute in The Hague, tried to examine almost 20 variables concerning the suspects’ social and economic backgrounds. In general, he determined that no reliable profile existed—their traits were merely an accurate reflection of the overall Muslim immigrant population in Europe. “There is no standard jihadi terrorist in Europe,” the study concluded.

In an interview, Bakker said that many local police agencies have been slow to abandon profiling, but that most European intelligence agencies have concluded it is an unreliable tool for spotting potential terrorists. “How can you single them out? You can’t,” he said. “For the secret services, it doesn’t give them a clue. We should focus more on suspicious behavior and not profiling.”

Posted on March 13, 2007 at 5:42 PMView Comments

Canadian Anti-Terrorism Law News

Big news:

The court said the men, who are accused of having ties to al-Qaeda, have the right to see and respond to evidence against them. It pointed to a law in Britain that allows special advocates or lawyers to see sensitive intelligence material, but not share details with their clients.

In its ruling, the court said while it’s important to protect Canada’s national security, the government can do more to protect individual rights.

But the court suspended the judgment from taking legal effect for a year, giving Parliament time to write a new law complying with constitutional principles.

Critics have long denounced the certificates, which can lead to deportation of non-citizens on the basis of secret intelligence presented to a Federal Court judge at closed-door hearings.

Those who fight the allegations can spend years in jail while the case works its way through the legal system. In the end, they can sometimes face removal to countries with a track record of torture, say critics.

And that’s not the only piece of good news from Canada. Two provisions from an anti-terrorism law passed at the end of 2001 were due to expire at the end of February. The House of Commons has voted against extending them:

One of the anti-terrorism measures allows police to arrest suspects without a warrant and detain them for three days without charges, provided police believe a terrorist act may be committed. The other measure allows judges to compel witnesses to testify in secret about past associations or pending acts. The witnesses could go to jail if they don’t comply.

The two measures, introduced by a previous Liberal government in 2001, have never been used.

“These two provisions especially have done nothing to fight against terrorism,” Dion said Tuesday. “[They] have not been helpful and have continued to create some risk for civil liberties.”

Another article here.

Posted on March 2, 2007 at 6:54 AMView Comments

Excessive Secrecy and Security Helps Terrorists

I’ve said it, and now so has the director of the Canadian Security Intelligence Service:

Canada’s spy master, of all people, is warning that excessive government secrecy and draconian counterterrorism measures will only play into the hands of terrorists.

“The response to the terrorist threat, whether now or in the future, should follow the long-standing principle of ‘in all things moderation,'” Jim Judd, director of the Canadian Security Intelligence Service, said in a recent Toronto speech.

Posted on February 2, 2007 at 7:25 AMView Comments

A Classified Wikipedia

A good idea:

The office of U.S. intelligence czar John Negroponte announced Intellipedia, which allows intelligence analysts and other officials to collaboratively add and edit content on the government’s classified Intelink Web much like its more famous namesake on the World Wide Web.

A “top secret” Intellipedia system, currently available to the 16 agencies that make up the U.S. intelligence community, has grown to more than 28,000 pages and 3,600 registered users since its introduction on April 17. Less restrictive versions exist for “secret” and “sensitive but unclassified” material.

Posted on November 15, 2006 at 6:41 AMView Comments

Total Information Awareness Is Back

Remember Total Information Awareness?

In November 2002, the New York Times reported that the Defense Advanced Research Projects Agency (DARPA) was developing a tracking system called “Total Information Awareness” (TIA), which was intended to detect terrorists through analyzing troves of information. The system, developed under the direction of John Poindexter, then-director of DARPA’s Information Awareness Office, was envisioned to give law enforcement access to private data without suspicion of wrongdoing or a warrant.

TIA purported to capture the “information signature” of people so that the government could track potential terrorists and criminals involved in “low-intensity/low-density” forms of warfare and crime. The goal was to track individuals through collecting as much information about them as possible and using computer algorithms and human analysis to detect potential activity.

The project called for the development of “revolutionary technology for ultra-large all-source information repositories,” which would contain information from multiple sources to create a “virtual, centralized, grand database.” This database would be populated by transaction data contained in current databases such as financial records, medical records, communication records, and travel records as well as new sources of information. Also fed into the database would be intelligence data.

The public found it so abhorrent, and objected so forcefully, that Congress killed funding for the program in September 2003.

None of us thought that meant the end of TIA, only that it would turn into a classified program and be renamed. Well, the program is now called Tangram, and it is classified:

The government’s top intelligence agency is building a computerized system to search very large stores of information for patterns of activity that look like terrorist planning. The system, which is run by the Office of the Director of National Intelligence, is in the early research phases and is being tested, in part, with government intelligence that may contain information on U.S. citizens and other people inside the country.

It encompasses existing profiling and detection systems, including those that create “suspicion scores” for suspected terrorists by analyzing very large databases of government intelligence, as well as records of individuals’ private communications, financial transactions, and other everyday activities.

The information about Tangram comes from a government document looking for contractors to help design and build the system.

DefenseTech writes:

The document, which is a description of the Tangram program for potential contractors, describes other, existing profiling and detection systems that haven’t moved beyond so-called “guilt-by-association models,” which link suspected terrorists to potential associates, but apparently don’t tell analysts much about why those links are significant. Tangram wants to improve upon these methods, as well as investigate the effectiveness of other detection links such as “collective inferencing,” which attempt to create suspicion scores of entire networks of people simultaneously.

Data mining for terrorists has always been a dumb idea. And the existence of Tangram illustrates the problem with Congress trying to stop a program by killing its funding; it just comes back under a different name.

Posted on October 31, 2006 at 6:59 AMView Comments

Did Hezbollah Crack Israeli Secure Radio?

According to Newsday:

Hezbollah guerrillas were able to hack into Israeli radio communications during last month’s battles in south Lebanon, an intelligence breakthrough that helped them thwart Israeli tank assaults, according to Hezbollah and Lebanese officials.

Using technology most likely supplied by Iran, special Hezbollah teams monitored the constantly changing radio frequencies of Israeli troops on the ground. That gave guerrillas a picture of Israeli movements, casualty reports and supply routes. It also allowed Hezbollah anti-tank units to more effectively target advancing Israeli armor, according to the officials.

Read the article. Basically, the problem is operational error:

With frequency-hopping and encryption, most radio communications become very difficult to hack. But troops in the battlefield sometimes make mistakes in following secure radio procedures and can give an enemy a way to break into the frequency-hopping patterns. That might have happened during some battles between Israel and Hezbollah, according to the Lebanese official. Hezbollah teams likely also had sophisticated reconnaissance devices that could intercept radio signals even while they were frequency-hopping.

I agree with this comment from The Register:

Claims that Hezbollah fighters were able to use this intelligence to get some intelligence on troop movement and supply routes are plausible, at least to the layman, but ought to be treated with an appropriate degree of caution as they are substantially corroborated by anonymous sources.

But I have even more skepticism. If indeed Hezbollah was able to do this, the last thing they want is for it to appear in the press. But if Hezbollah can’t do this, then a few good disinformation stories are a good thing.

Posted on September 20, 2006 at 2:35 PMView Comments

More Than 10 Ways to Avoid the Next 9/11

From yesterday’s New York Times, “Ten Ways to Avoid the Next 9/11”:

If we are fortunate, we will open our newspapers this morning knowing that there have been no major terrorist attacks on American soil in nearly five years. Did we just get lucky?

The Op-Ed page asked 10 people with experience in security and counterterrorism to answer the following question: What is one major reason the United States has not suffered a major attack since 2001, and what is the one thing you would recommend the nation do in order to avoid attacks in the future?

Actually, they asked more than 10, myself included. But some of us were cut because they didn’t have enough space. This was my essay:

Despite what you see in the movies and on television, it’s actually very difficult to execute a major terrorist act. It’s hard to organize, plan, and execute an attack, and it’s all too easy to slip up and get caught. Combine that with our intelligence work tracking terrorist cells and interdicting terrorist funding, and you have a climate where major attacks are rare. In many ways, the success of 9/11 was an anomaly; there were many points where it could have failed. The main reason we haven’t seen another 9/11 is that it isn’t as easy as it looks.

Much of our counterterrorist efforts are nothing more than security theater: ineffectual measures that look good. Forget the “war on terror”; the difficulty isn’t killing or arresting the terrorists, it’s finding them. Terrorism is a law enforcement problem, and needs to be treated as such. For example, none of our post-9/11 airline security measures would have stopped the London shampoo bombers. The lesson of London is that our best defense is intelligence and investigation. Rather than spending money on airline security, or sports stadium security—measures that require us to guess the plot correctly in order to be effective—we’re better off spending money on measures that are effective regardless of the plot.

Intelligence and investigation have kept us safe from terrorism in the past, and will continue to do so in the future. If the CIA and FBI had done a better job of coordinating and sharing data in 2001, 9/11 would have been another failed attempt. Coordination has gotten better, and those agencies are better funded—but it’s still not enough. Whenever you read about the billions being spent on national ID cards or massive data mining programs or new airport security measures, think about the number of intelligence agents that the same money could buy. That’s where we’re going to see the greatest return on our security investment.

Posted on September 11, 2006 at 6:36 AMView Comments

Details on the British Terrorist Arrest

Details are emerging:

  • There was some serious cash flow from someone, presumably someone abroad.
  • There was no imminent threat.
  • However, the threat was real. And it seems pretty clear that it would have bypassed all existing airport security systems.
  • The conspirators were radicalized by the war in Iraq, although it is impossible to say whether they would have been otherwise radicalized without it.
  • They were caught through police work, not through any broad surveillance, and were under surveillance for more than a year.

What pisses me off most is the second item. By arresting the conspirators early, the police squandered the chance to learn more about the network and arrest more of them—and to present a less flimsy case. There have been many news reports detailing how the U.S. pressured the UK government to make the arrests sooner, possibly out of political motivations. (And then Scotland Yard got annoyed at the U.S. leaking plot details to the press, hampering their case.)

My initial comments on the arrest are here. I still think that all of the new airline security measures are an overreaction (This essay makes the same point, as well as describing a 1995 terrorist plot that was remarkably similar in both materials and modus operandi—and didn’t result in a complete ban on liquids.)

As I said on a radio interview a couple of weeks ago: “We ban guns and knives, and the terrorists use box cutters. We ban box cutters and corkscrews, and they hide explosives in their shoes. We screen shoes, and the terrorists use liquids. We ban liquids, and the terrorist will use something else. It’s not a fair game, because the terrorists get to see our security measures before they plan their attack.” And it’s not a game we can win. So let’s stop playing, and play a game we actually can win. The real lesson of the London arrests is that investigation and intelligence work.

EDITED TO ADD (8/29): Seems this URL is unavailable in the U.K. See the comments for ways to bypass the block.

Posted on August 29, 2006 at 7:20 AMView Comments

Last Week's Terrorism Arrests

Hours-long waits in the security line. Ridiculous prohibitions on what you can carry onboard. Last week’s foiling of a major terrorist plot and the subsequent airport security graphically illustrates the difference between effective security and security theater.

None of the airplane security measures implemented because of 9/11—no-fly lists, secondary screening, prohibitions against pocket knives and corkscrews—had anything to do with last week’s arrests. And they wouldn’t have prevented the planned attacks, had the terrorists not been arrested. A national ID card wouldn’t have made a difference, either.

Instead, the arrests are a victory for old-fashioned intelligence and investigation. Details are still secret, but police in at least two countries were watching the terrorists for a long time. They followed leads, figured out who was talking to whom, and slowly pieced together both the network and the plot.

The new airplane security measures focus on that plot, because authorities believe they have not captured everyone involved. It’s reasonable to assume that a few lone plotters, knowing their compatriots are in jail and fearing their own arrest, would try to finish the job on their own. The authorities are not being public with the details—much of the “explosive liquid” story doesn’t hang together—but the excessive security measures seem prudent.

But only temporarily. Banning box cutters since 9/11, or taking off our shoes since Richard Reid, has not made us any safer. And a long-term prohibition against liquid carry-ons won’t make us safer, either. It’s not just that there are ways around the rules, it’s that focusing on tactics is a losing proposition.

It’s easy to defend against what the terrorists planned last time, but it’s shortsighted. If we spend billions fielding liquid-analysis machines in airports and the terrorists use solid explosives, we’ve wasted our money. If they target shopping malls, we’ve wasted our money. Focusing on tactics simply forces the terrorists to make a minor modification in their plans. There are too many targets—stadiums, schools, theaters, churches, the long line of densely packed people before airport security—and too many ways to kill people.

Security measures that require us to guess correctly don’t work, because invariably we will guess wrong. It’s not security, it’s security theater: measures designed to make us feel safer but not actually safer.

Airport security is the last line of defense, and not a very good one at that. Sure, it’ll catch the sloppy and the stupid—and that’s a good enough reason not to do away with it entirely—but it won’t catch a well-planned plot. We can’t keep weapons out of prisons; we can’t possibly keep them off airplanes.

The goal of a terrorist is to cause terror. Last week’s arrests demonstrate how real security doesn’t focus on possible terrorist tactics, but on the terrorists themselves. It’s a victory for intelligence and investigation, and a dramatic demonstration of how investments in these areas pay off.

And if you want to know what you can do to help? Don’t be terrorized. They terrorize more of us if they kill some of us, but the dead are beside the point. If we give in to fear, the terrorists achieve their goal even if they were arrested. If we refuse to be terrorized, then they lose—even if their attacks succeed.

This op ed appeared today in the Minneapolis Star-Tribune.

EDITED TO ADD (8/13): The Department of Homeland Security declares an entire state of matter a security risk. And here’s a good commentary on being scared.

Posted on August 13, 2006 at 8:15 AMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.