Experts:U.S. security fundamentally flawed

By CHRISTIAN BOURGE, UPI think tanks corresponent  |  Sept. 26, 2002 at 4:35 PM
share with facebook
share with twitter

WASHINGTON, Sept. 26 (UPI) -- Americans must make a complete change in how they approach security policy and how they act to protect vital facilities and infrastructure in order for such efforts to effectively deter terrorist attacks, leading think tank authorities on security issues said.

"We are going to have to fundamentally alter our mindset about security," Brian Michael Jenkins, a senior adviser to the president of the RAND Corp. and a research associate at the Mineta Transportation Institute, told United Press International. "Our obstacles are partly institutional and partly due to institutional thinking and mindset."

Jenkins, who is considered one of the world's leading authorities on political violence and terrorism, was a member the White House Commission on Aviation Safety and Security during the Clinton administration, and co-authored the book "Aviation Terrorism and Security."

He said more thought and effort has been spent in the United States on making the supermarket checkout process efficient than has been put into implementing effective security design in most situations, such as airports.

Security is a complex issue that involves the implementation of broad policy decisions at the local, state, federal and international levels, through a tangle of agencies. But at its most immediate level, it involves on-the-ground deployment of technology and personnel to protect public and private facilities from illegal entry or attack.

But according to experts in the field, there is a general over-reliance on technology and poorly trained personnel to provide security in the United States. This -- coupled with a poor understanding of security design and unrealistic expectations about what such efforts can accomplish -- together ensure that typical security measures are ineffective, they say.

Since the Sept. 11, 2001, terror attacks, every major defense company in American has named a vice president for homeland security, and begun developing technology that it hopes to sell to the government and other agencies in charge of security.

But Jenkins and other experts argue that machines and technology are not a silver bullet for the security problem, though efforts by government and the private sector to beef up security at airports and other potential terrorist targets is based heavily on the introduction of new technologies.

"We have depended much more on the development of technology and deploying that technology than on the human engineering, ergonomics and operator issues involved in making the machines as effective as possible with appropriate training," said Jenkins.

Bruce Schneier, an expert on computer security and the co-founder of Counterpane Internet Security, a company that provides security for corporate and government computer networks, said that the American view of technology as the fix for all problems ignores the reality of how security functions.

"America is enamored with technology, they want the pill that will make them better," said Schneier, who rose to prominence in the computer security realm as a creator of computer codes and ciphers. His book "Applied Cryptology" is considered the bible of the field.

"Americans don't like to think," he said. "Americans don't like it fuzzy, we don't like to not have an answer."

security is a complicated process that is prone to failure and needs human creativity to ensure its effectiveness, he said.

"If you want to have real security, what works is having people figuring out what is going on in real time, inventing new ways of dealing with it and solving it," he said. "That prevented the fourth plane from hitting the U.S. Capitol."

Gary Anderson, director of the National Center for Unconventional Thought at the Potomac Institute for Policy Studies, agreed that making technology the main barrier to threats is not the answer to protecting against the asymmetrical nature of terrorism.

"There are a lot of pluses for technology, but what you have got to be able to do is anticipate the way your opponent is thinking -- and technology can not provide this," said Anderson, who is a former colonel in the Marine Corps and executive director of the Center for Emerging Threats and Opportunities at the Marine training center in Quantico, Va.

"My perspective is that that the vast majority of security, particularly against asymmetrical threats, is not in technology. It is in the mind of the beholder," he said. "This is counterintuitive to the American way of thinking that technology is the solution to everything."

Schneier has also argued that in the case of airline security since Sept. 11, the focus on how to better block terror threats misses the point of security.

"Security isn't a barrier, it is deterrence," he said, noting that a common misconception about the nature of security is that it can stop hostile actions, when in fact all it can do is act to discourage them.

He added that though this "philosophical difference" needs to be recognized, the fact is that security efforts will not stop terrorism because all security measures are inherently open to attack and can likely be bypassed in some way.

"Terrorism will always be with us. Terrorism is inevitable like murder is inevitable," he said. "Yet we can live relatively safely."

According to Jenkins, no amount of technology would have prevented what happened on Sept. 11. In fact, the terrorists that hijacked the planes did not even violate set security rules or procedures for American airports at the time, he said.

Anderson says this demonstrates the problem with static security system designs that rely on set regulations or hurdles: They that establish regular patterns and weaknesses that can be exploited for an attack.

He contrasted this to the way in which North Vietnamese soldiers were trained to look for openings in American machine gun fire during battle, to find areas to attack. Terrorists, by nature, analyze security procedures and find the weaknesses in the model, he said.

Schneier added that technology provides another level of weakness, in that there are always parts of computer or engineering designs that can be exploited.

Jenkins said he believes the over-reliance on technology and the mismanagement of security in the United States is at least partially the result of the growth in the privatization of security. Profit-driven firms that have to compete for contracts face cost constraints that lead to limitations in the training of their security staff, he said.

Nearly 2 million people are employed in the private security industry, which exceeds $100 billion dollars a year in revenue, he said. But this is a highly competitive sector in which contracts are awarded to the lowest bidder. As a result, salaries for security personnel hover near the minimum wage, which generates turnover rates that Jenkins said run as high as 400 percent.

"The training has been of poor quality, unimaginative, and really not aimed at creating well trained, highly motivated security forces," said Jenkins.

Jenkins said that beyond improving training, more attention must be paid to how individuals are chosen to do security work. He said that basic aptitude testing should be part of this process.

Most important, said the analysts, was the need to design security systems as layered models that avoid the "castle and moat" approach to security that prevails in American security. Under this model, if the main barrier fails, then access is gained to the secured area.

Such a layered design structure is based on the assumption that security measures will inevitably fail, so multiple tiers of security are created to provide back-ups for system failures at each level. The idea is not to design a system that is impregnable, which is impossible, says Schneier, but rather to design a system that "fails well," in ways that enable security to be maintained. The key is that each layer of security must be well integrated into the overall system in order to provide effective deterrence.

An example of the lack of this wholly systemic approach to airport security is the hodgepodge of rules that make up the air transportation security model.

"Each procedure is in response to some specific event in the past, so what we have in accumulation is a series of responses to what are for the most part unconnected events and threats," said Jenkins. "We don't have a web of security."

Schneier added that many of the policy decisions about domestic security have been made to calm people's fears, not to truly improve security.

In the case of airline security, a series of inadequate checks -- whether they occur at the entrance to the concourse or at the boarding gate -- do not add up to an effectively layered security system, he said.

"There are concerns about security and more concerns about perceptions," said Schneier. He added that the odds of being on a hijacked plane are actually quite low. "It is all about the perception of security, and beyond that is the reality, which is that it is safe to fly."

"Taking away tweezers from little old ladies is not going to make any difference," he added.

Schneier said some of the responses from the federal government, such as tracking down the financing of terrorist networks and increasing the surveillance of foreigners entering the country, are good security responses.

"We are doing some of the right things," said Schneier. "If the criminal isn't here, or can't get here, he can't pose a risk."

Nevertheless, he said that American security efforts create danger because they focus mostly on the last line of defense at the potential target.

"(Security) has always failed, and will continue to. Your skin will never stop a bullet," said Schneier.

Jenkins says that policymakers must do all they can to improve the effectiveness of security in the United States, in part because poor security has huge economic risks. This was demonstrated by the shutdown in airline business following Sept. 11.

"We have to have an approach that is going to be realistic in our appraisal of risk and resilient in its model," said Jenkins. He believes that because of the economic risks, commercial pressures will ultimately "oblige us to begin thinking more strategically."

For Anderson, it is impossible to overstate the importance of creativity and flexibility in security system design. He said that the key to enabling creativity lies at the local level, with those in charge of security at individual facilities.

"You have to empower the local security managers to do things, and perhaps to change things independently every day," he said.

Anderson also said that mystery must be built into the design of any security system, to foil terrorists. This can be accomplished by making random, unscheduled changes to security measures to ensure that patterns are kept to a minimum.

All three analysts agreed that in most cases, creativity was the key element missing from security policy and the design of security systems.

"What we need is thinking," said Schneier. "People need to think about the problems and the best way to solve them, and not just do random things in case they will work, which is really what we are (still) seeing."

Trending Stories