Why can’t we have T-Hackers stay ahead of potential breaches?

Clark Kent Ervin, the former inspector general of the State Department (2001-2003) and of the Department of Homeland Security (2003 to 2004) who is currently the director of the Aspen Institute’s homeland security program recently wrote an op-ed for NYT excerpted below:





"Perhaps the biggest lesson for airline security from the recent incident is that we must overcome our tendency to be reactive. We always seem to be at least one step behind the terrorists. They find one security gap — carrying explosives onto a plane in their shoes, for instance — and we close that one, and then wait for them to exploit another. Why not identify all the vulnerabilities and then address each one before terrorists strike again?



Since the authorities have to succeed 100 percent of the time, and terrorists only once, the odds are overwhelmingly against the authorities. But they’ll be more likely to defy fate if they go beyond reflexive defense and play offense for a change."

It’s hard to argue with his point, for we clearly are reactive.  It’s as if our enemies have found our magic buttons, and they know exactly which button would get the desired reaction.

On December 2001, shoe-bomber Richard Reid made an unsuccessful attempt to blow up American Airlines Flight 63 from Paris to Miami with PETN as explosive.   According to Wikipedia, pentaerythritol tetranitrate (PETN) is one of the most powerful high explosives known, with a relative effectiveness factor (R.E. factor) of 1.66. It is also used as a medical drug to treat heart conditions.

Soon after that, we all had to take off our shoes, get wand screenings and pat downs at security points in our airports and at airports overseas. Shoes have become weaponized; they might as well join those box cutters and a whole lot of items now enshrined in the list of prohibited items when we fly.  Some funnies and some not so funny stories here. 

In 2006, the transatlantic aircraft terrorist plot to detonate liquid explosives carried on board at least 10 airliners travelling from the United Kingdom was discovered which resulted in chaos on how much liquids one can carry onto commercial aircrafts.



Imagine if you were breastfeeding or pumping milk the day those restrictions took effect? TSA says air travelers may now carry liquids, gels and aerosols in their carry-on bag when going through security checkpoints but “all liquids, gels and aerosols must be in 3.4 ounce (100ml) or smaller containers. Larger containers that are half-full or toothpaste tubes rolled up are not allowed. Each container must be 3.4 ounces (100ml) or smaller.” Somewhere, some not so nice folks are laughing.   

What are they going to think of next?

According to this report from Stratfor, when suicide-bomber Abdullah Hassan al Asiri attempted to assassinate the Saudi Arabian Deputy Minister of Interior Prince Muhammad bin Nayef  this past August, al Asiri who was described as a human Trojan horse activated a small improvised explosive device (IED) he was carrying inside his anal cavity. (Eww!)  PETN was reportedly the explosives used. The minister survived, the bomber did not.

Then on 25 December 2009, PETN was also found in the possession of Underpants Bomber, Umar Farouk Abdulmutallab who attempted to blow up Northwest Airlines Flight 253 while approaching Detroit from Amsterdam. Abdulmutallab allegedly tried to detonate PETN sewn into his underwear, by adding liquid from a syringe.

In the aftermath of these recent failed attempts, especially the latter, it looks like we are now faced with the distinct possibility of 1) a full body security scan which uses high frequency radio waves to produce an image of the human body to determine if passengers are smuggling items (such as drugs, cash or diamonds) in or underneath their clothing or 2) a full body scan which uses X-rays that pass through the body to trace swallowed items. Here is a good article on what Spiegel Online calls “strip search scanners.”

What are they going to think of next?  What if they succeed in putting explosives in ..... um, never mind. 

Banks hire the best hackers money can buy to steal from them—and then show them the holes in their defenses; by compromising their systems, they are able to protect their systems.  Have we done that?  According to this September 2009 GAO report on aviation security, TSA has implemented activities to assess risks to airport perimeters and access controls but has not conducted vulnerability assessments for 87 percent of the nation's approximately 450 commercial airports or any consequence assessments.  We're talking just aviation here, what about the rest?



Why can’t we do the equivalent of hackers when it comes to terrorism and stay one step ahead of potential breaches? The thing is we can't pretend to seal the holes in the boat when we don't know where we are leaking.  Until we know which parts of “us” are vulnerable, we will always play catch up.  And while we are stuck with protecting ourselves for the next shoe-bombing or underpants assault, the enemy may have already imagined other more creative ways to do us harm. The attack may not even have to blow anything up -- just throw us into chaos; at significant costs to our peace of mind and sense of security, and to the taxpayers’ pockets.



You’re going to start thinking Domani Spero has gone bat crazy …

Well, okay, maybe – but hiring T-hackers, for lack of a better word, would be no more expensive than what was already spent on security screenings since 2002, or the inevitable body scanners.  For all that expense and inconvenience, we only get the perception of security.  The shoe bomber was the reason we now take off our shoes at security checkpoints in airports but PETN is a plastic explosive that is not picked up by metal detectors. So... why are we  taking off our shoes, again?

According to another GAO report, the Transportation Security Administration (TSA) and the Department of Homeland Security (DHS) have invested over $795 million in technologies to screen passengers at airport checkpoints since fiscal year 2002. News reports indicate that the cost of body scan machines range from 175,000-250,000 each. 

How many airports are there?  According to the Airports Council International, the United States has over 19,847 airports based on the Department of Transportation’s 2007-2011 National Plan of Integrated Airport Systems (NPIAS). More than 3,364 of those airports are recognized by the Federal Aviation Administration (FAA) as being open to the public.  382 are Primary Airports, defined as having more than 10,000 annual passengers.



I don’t even want to do the math. My head already hurts.

See what I like about those T-hackers? A squad of dark rangers, brainiacs who can imagine the most dastardly attacks, the most unimaginable chaos and destruction, the dark days we do not want to see in the future – they could poke holes at our security portals and blankets now before a lone wolf or some real bad guys get lucky with poking around. 

  

Related articles by Zemanta

• PETN - hard to detect and just 100g can destroy a car (guardian.co.uk)

The Christmas Day Airliner Attack and the Intelligence Process

By George Friedman

This report is republished with permission of STRATFOR

As is well known, a Nigerian national named Umar Farouk Abdulmutallab attempted to destroy a passenger aircraft traveling from Amsterdam to Detroit on Dec. 25, 2009. Metal detectors cannot pinpoint the chemical in the device he sought to detonate, PETN. The PETN was strapped to his groin. Since a detonator could have been detected, the attacker chose — or had chosen for him — a syringe filled with acid for use as an improvised alternative means to initiate the detonation. In the event, the device failed to detonate, but it did cause a fire in a highly sensitive area of the attacker’s body. An alert passenger put out the fire. The plane landed safely. It later emerged that the attacker’s father, a prominent banker in Nigeria, had gone to the U.S. Embassy in Nigeria to warn embassy officials of his concerns that his son might be involved with jihadists.

The incident drove home a number of points. First, while al Qaeda prime — the organization that had planned and executed 9/11 — might be in shambles, other groups in other countries using the al Qaeda brand name and following al Qaeda prime’s ideology remain operational and capable of mounting attacks. Second, like other recent attacks, this attack was relatively feeble: It involved a single aircraft, and the explosive device was not well-conceived. Third, it remained and still remains possible for a terrorist to bring explosives on board an aircraft. Fourth, intelligence available in Nigeria, London and elsewhere had not moved through the system with sufficient speed to block the terrorist from boarding the flight.

An Enduring Threat

From this three things emerge. First, although the capabilities of jihadist terrorists have declined, their organizations remain functional, and there is no guarantee that these organizations won’t increase in sophistication and effectiveness. Second, the militants remain focused on the global air transport system. Third, the defensive mechanisms devised since 2001 remain ineffective to some degree.

The purpose of terrorism in its purest form is to create a sense of insecurity among a public. It succeeds when fear moves a system to the point where it can no longer function. This magnifies the strength of the terrorist by causing the public to see the failure of the system as the result of the power of the terrorist. Terror networks are necessarily sparse. The greater the number of persons involved, the more likely a security breach becomes. Thus, there are necessarily few people in a terror network. An ideal terror network is global, able to strike anywhere and in multiple places at once. The extent of the terror network is unknown, partly because of its security systems and partly because it is so sparse that finding a terrorist is like finding a needle in a haystack. It is the fact that the size and intentions of the terror network are unknown that generates the sense of terror and empowers the terrorist.

The global aspect is also important. That attacks can originate in many places and that attackers can belong to many ethnic groups increases the desired sense of insecurity. All Muslims are not members of al Qaeda, but all members of al Qaeda are Muslims, and any Muslim might be a member of al Qaeda. This logic is beneficial to radical Islamists, who want to increase the sense of confrontation between Islam and the rest of the world. This not only increases the sense of insecurity and vulnerability in the rest of the world, it also increases hostility toward Muslims, strengthening al Qaeda’s argument to Muslims that they are in an unavoidable state of war with the rest of the world. Equally important is the transmission of the idea that if al Qaeda is destroyed in one place, it will spring up elsewhere.

This terror attack made another point, intended or not. U.S. President Barack Obama recently decided to increase forces in Afghanistan. A large part of his reasoning was that Afghanistan was the origin of 9/11, and the Taliban hosted al Qaeda. Therefore, he reasoned the United States should focus its military operations in Afghanistan and neighboring Pakistan, since that was the origin of al Qaeda. But the Christmas Day terror attempt originated in Yemen, a place where the United States has been fighting a covert war with limited military resources. It therefore raises the question of why Obama is focusing on Afghanistan when the threat from al Qaeda spinoffs can originate anywhere.

From the terrorist perspective, the Yemen attack was a low-cost, low-risk operation. If it succeeded in bringing down a U.S. airliner over Detroit, the psychological impact would be massive. If it failed to do so, it would certainly increase a sense of anxiety, cause the U.S. and other governments to institute new and expensive security measures, and potentially force the United States into expensive deployments of forces insufficient to dominate a given country but sufficient to generate an insurgency. If just some of these things happened, the attack would have been well worth the effort.