Tuesday, April 26, 2005

Fisking Security Roulette

Click here for AmazonFor security executives, CSO Online offers articles and opinions on all things security. If a topic relates to physical security, privacy, or information security, CSO Online will probably cover it.

The April 1, 2005 publication offered an anonymous column by a "real CSO". In short, the author questions the Government's current approach to national security. Ostensibly apolitical, it provides subtle jibes at the administration's spending priorities.

After reading it, digesting it, and allowing it to percolate, I started having some doubts regarding the author's assertions. Let's fisk it, shall we?

On any given day, we CSOs come to work facing a multitude of security risks... To guard against these risks, we have a finite budget of resources in the way of time, personnel, money and equipment—poker chips, if you will.

If we're good gamblers, we put those chips where there is the highest probability of winning a high payout. In other words, we guard against risks that are most likely to occur and that, if they do occur, will cost the company the most money... So lately I've been wondering—as I watch spending on national security continue to skyrocket, with diminishing marginal returns—why we as a nation can't apply this same logic to national security spending. If we did this, the war on terrorism would look a lot different. In fact, it might even be over.

Diminishing marginal returns? How so? The country's borders are porous and a serious problem, I think most would agree. A nuclear device detonated in New York City would literally pulverize the economy and risk a global thermonuclear exchange. And a single EMP weapon detonated at altitude could literally turn the country's economy off, sending the US back into the nineteenth century.

So, I suppose we need to understand what "diminishing marginal returns" mean, when stopping a single device from entering the country could literally be the difference between, oh I don't know, the United States and, say, Haiti.

Let's assume, first of all, that the ultimate goal of security is to prevent the loss of lives. In this risk management approach, then, the first thing to look at is the leading causes of death in the United States. The total number of deaths from all attacks on Sept. 11, 2001, was approximately 2,988, according to the National Center for Health Statistics. The top 10 causes of other deaths in the United States in 2001 were the following.

1. Heart disease: 700,142
2. Cancer: 553,768
3. Stroke: 163,538
4. Chronic lower respiratory disease: 123,013
5. Accidents: 101,537
6. Diabetes: 71,372
7. Pneumonia/flu: 62,034
8. Alzheimer's disease: 53,852
9. Kidney disease: 39,480
10. Suicide: 30,622

The 9/11 deaths were classified within a category called assaults/homicides, which was the 13th leading cause of death at 20,308.

I'm guessing that you picked a convenient criterion out of your... err... hat... but it's the wrong one. The 9/11 attacks were not a major contributor to deaths in the U.S. in 2001. But the attacks were absolutely devastating to the national economy and, indirectly, to the entire global economy.

$16.9 billion in total lost output for the New York City economy alone. $83 billion in direct and indirect costs, according to the GAO.

This translates to a serious impact on the livelihoods of tens or hundreds of millions of people... all caused by an attack that killed several thousands of people, but was small potatos compared to the worst-case scenarios.

Thus, there's little question that the wrong criterion was used.

The next thing to look at is spending. As I write this article, the president has just released his proposed federal budget for fiscal year 2006. The projected budget for the Department of Defense is $419.3 billion, and the projected budget for the Department of Homeland Security is $34.2 billion. Since 2001, defense spending has risen by more than 40 percent, and the Department of Homeland Security budget has roughly tripled... CSOs know how to best allocate available resources to guard against the most likely threats. We should be vocal about the need to apply that same logic to our nation's security.

And if you had access to all of the actionable intelligence, much of which I am sure is classified, perhaps you could evaluate that logic. But I'm betting you don't have such access... and therefore you are flying blind. And that's no way to run a security operation.

...For example, eight of the top 10 causes of death are health-related. If one classifies suicide as a mental health problem, then nine of the top 10 causes of death are health-related. Could those billions of dollars have saved more lives if they had been spent on health research or on making health care available to a larger percentage of the population?

Wrong criterion. Wrong... wrong... and wrong.

Probably. But, you might ask, what about the costs of another successful terrorist attack? Another terrorist attack using say, a nuclear device, could result in hundreds of thousands or maybe even millions of deaths—not to mention having a catastrophic effect on the nation's economy and environment. That's true. But ask yourself this question: Have the billions of dollars spent on additional security since 9/11 made this kind of attack impossible?

Impossible? Since when does any defensive course of action render something impossible? Never. Nothing is impenetrable. But when the very existence of the United States is at risk, every possible and reasonable avenue must be explored.

We inspect less than 3 percent of the cargo containers coming into this country. It would be catastrophic if just one of the 97 percent that aren't checked made it through with a nuclear device. Or what about the possibility of a terrorist sailing a vessel with a nuclear device on board into the harbor of New York City, San Francisco or New Orleans, or any other port city? All the money in the U.S. Treasury might not be enough to prevent that from happening.

And yet, a modest amount of R&D funding might create a sophisticated scanning technology that would make protecting ports feasible. Again, without an understanding of the actionable intelligence and all ongoing programs/countermeasures, you are simply flying blind. And your statements are therefore little more than conjecture.

In economics, there is something called the law of diminishing marginal returns, which dictates that, at some point, spending additional dollars no longer gains you as much improvement. As a nation, we have certainly reached that point with spending on security.

And you've reached that conclusion... how? Not a shred of evidence has been presented to make that case.

...If you don't want to spend money on those problems, fine. Save it instead. The U.S. Federal budget deficit is at a historic high... The money we spend fighting terrorism could be used to reduce the budget deficit and prevent future economic problems instead...

...Former Vermont Sen. George Aiken reportedly gave some now-famous advise to Lyndon Johnson during the Vietnam War. He told him, "Just declare victory and go home." It's time we did the same on terrorism. The sooner we stop spending more and more on security and start applying to other, more serious threats, the better off this country will be.

Are the government's decisions perfect? Of course not. Are you -- a person almost certainly unfamiliar with the relevant, actionable intelligence -- capable of adjudicating the government's performance? Likewise: no. Not even close.

The byline shouldn't have read "anonymous". It should have read, "Naive, anonymous, and probably partisan to boot.".

CSO Online: Security Roulette

No comments: