Malefactors expand into new challenges and venues.
A U.S. vehicle patrols a stretch of border fence in Arizona where a border patrol official was killed by drug traffickers. The Department of Homeland Security is wary of the indiscriminate violence plaguing Mexican civilians spilling over into the United States.
The threat to the
During this period, the threat has evolved to include both new players and new tactics. Terrorists and organized crime are becoming more alike in their methods and goals. The exponential growth of cyberspace has increased the threat from actions in it, and that threat now may come embedded in hardware built in foreign countries. The information age itself could be a target via the economy that it spawned.
Michael Chertoff, the secretary of homeland security, aims for a realistic assessment of the threat to the homeland. In a SIGNAL Magazine interview, Chertoff outlined the broad spectrum of threats to
“Homeland security is not a subject about which we ought to be hysterical or obsessed with, but it also is not a subject that we can feel has passed us by—‘we haven’t been attacked for seven years, there is no big deal here, let’s turn our attention to something else and forget this,’” Chertoff warns. “If there is any lesson that the ongoing financial crisis brings for homeland security, it is that not paying attention to risks when they are distant creates huge problems when the risks materialize.
“We don’t live in a world where we can afford to do one thing at a time,” he continues. “It’s very important to fix the economy, but that’s not a reason to divert our attention from the need to also continue to protect our families, our lives and our economic system.”
He notes that the cascading effects of terrorism run from loss of life to significant economic consequences. Taken with the crisis afflicting the global economic system, a terrorist attack today could have a severely deleterious effect on the economy. And, there are many players who could wreak that kind of havoc.
Al-Qaida remains a serious threat in that it is focusing on carrying out attacks against
“And, if we relent, that threat can easily rise up again,” he declares.
But while al-Qaida remains a threat from a strategic standpoint, other threats loom as concerns to
Other groups are emerging from unlikely backgrounds. The Colombian rebel group FARC, despite having suffered significant recent setbacks, is an example of transnational groups that defy traditional characterizations. FARC combined political goals with conventional criminal activities such as smuggling and extortion to become a hemispheric threat.
Less political groups such as MS-13 largely have based their actions on criminal activities, but they pose a security threat as well. Chertoff allows that he has not yet seen criminal groups migrating to political activities, but sooner or later one of these groups will opt to develop a political philosophy to rationalize their activities. “It’s just too easy to do and too tempting in terms of making yourself bigger than life,” he notes. “It also pays benefits because if you can corrupt or weaken governments, you actually can leverage your criminality. There is a certain amount of convergence between governmental corruption and transnational criminality that can come from both ends.”
And criminal activities along the
While FARC’s effectiveness has been reduced substantially, Chertoff warns of other
The greatest risk remains a weapon of mass destruction—nuclear, biological or radiological. Chertoff emphasizes that he does not believe that these threats are imminent, but the possibility of their use is not completely remote. He points out that the
Chertoff says the
| “Not paying attention to risks when they are distant creates huge problems when the risks materialize.”|
—Michael Chertoff, Secretary of Homeland Security
Congress has mandated that by 2012, every container destined for the
This goal has a loophole: a future Homeland Security secretary in 2012 can extend that deadline. Chertoff believes that a future secretary will need to ask Congress to change that law.
The department also is striving to secure radioactive material in the homeland, particularly that used or held in medical and industrial facilities. Theft is the main worry here. To prevent or mitigate a biological attack, the department is stockpiling treatments, Chertoff points out. Part of that equation is to ensure that these treatments can be moved out to where they can be more readily accessible by the general public quickly.
In addition to the physical realm, cyberspace is threatened by terrorism. Chertoff notes that the country has been plagued for some time by cyberattacks ranging from nuisances to sophisticated onslaughts. These include exfiltration of information, denial of service and corruption of databases, to name a few. With most information assets in private hands, networking extends vulnerabilities across the spectrum.
“A network only is as strong as its weakest node,” he observes. “We have a lot of nodes, and often the security efforts we undertake are inconsistent with the fluidity in the open architecture of the Internet. So, the question is how do you devise a system that will incentivize people to protect their own systems if they’re networked—and how do we enable them to do that in a way that doesn’t compromise some of the most sensitive kinds of techniques that we’ve developed?”
The new national cyberstrategy is designed to focus on that, he adds. Many techniques the government employs for cyberdefense are extremely sensitive, so the difficulty lies in providing them without enabling enemies to reverse-engineer them to their own advantage.
But another threat lies in the very nature of commercial off-the-shelf software and hardware—the potential for trapdoors or Trojan horses. Many information technology systems include components that are manufactured by subcontractors in foreign countries where the customer has little control over processes and personnel. Chertoff cites how financial data in
“How do you make sure, in a global environment, that you are not acquiring systems that have that kind of a defect in them?” he asks. “How does that interact with global trade, and who vets it? That is going to increasingly become a problem. In some ways, it’s the high-tech version of how you know what is in the [imported] food you’re getting.”
Solving this problem will require overcoming a host of issues ranging from regulation to trade protectionism. Chertoff expresses that he is cautious about the idea of establishing a government program that validates the quality of what goes into hardware and software. Ultimately, he believes, this form of verification may become a new line of business. “The issue of quality assurance is the biggest challenge in a global environment,” he declares.
Embedded malware could become the tool of choice for organized crime or foreign organizations, including intelligence agencies. Foreign espionage could benefit from data rerouted to an overseas government by an innocuous chip in a network. Or, a denial-of-service attack could be triggered by a chip that uses embedded malware to generate hordes of messages. Chertoff will not comment on whether the
The worst type of attack would be a denial or corruption of service, Chertoff says. For example, if a cyberattack changed the figures in the financial sector, the effect would be substantial. People no longer would trust the financial sector to maintain the integrity of their accounts. “If people doubt the value of what they have, that causes transactional crisis,” he states. “Imagine if a financial institution could not verify accounts. You don’t have to hit everybody to create the crisis of confidence.”
Sometimes the best solution is nontechnical in nature, he adds. For example, merely printing out backups of vital documents guarantees that their electronic destruction does not completely eliminate their data. Similar solutions may reduce the effects of high-technology vulnerabilities.
Chertoff notes that the department is conducting a lot of planning with state and local governments to respond to many disaster scenarios, whether natural or human-driven. He does cite the need to maintain and repair infrastructure that, if it fails, would provide a catastrophic multiplier effect to a natural disaster.
He calls for a public-private partnership to solve many of the homeland security challenges facing the nation. Government’s role should be that of a standard-setter rather than an overseer.
“Some people believe that the government ought to do everything itself—everything ought to be guarded by the government, the government ought to micromanage every business,” he relates. “That would be a horrendously expensive and not particularly effective way of securing the homeland.
“On the other hand, while most companies and businesses are responsible about securing their activities and their employees, sometimes they don’t internalize the cost of failures that might relate to other people who would be impacted by a failure,” Chertoff continues. “There may be a tendency to underspend or underprotect, particularly for those businesses that are in the center of a network of interdependencies.
“It’s like the person who decides not to get insurance because it’s an expense,” he analogizes. “Insurance is an expense until it winds up paying for a disaster. I’ve seen that with terrorism; I’ve seen that with hurricanes; I’ve seen it with the financial system—it’s what financial people call ‘the fat tail of risk.’ That high consequence and low probability of risk is the thing that you can’t lose sight of, and we have learned that lesson again and again over the past 10 years, and we’re going to keep learning it—and that is why we must keep investing in these security issues.”
Chertoff believes that government has a role to play in setting performance standards and requirements. These would ensure that no business would misjudge its vulnerability in a way that would cause many other businesses to fail as well. “The public-private partnership is about our setting standards for what you need to do, giving the private sector the ability to meet the standards in different ways, and then ultimately our willingness to prod those laggards who don’t come up to snuff,” he concludes.
“It’s really tempting when [a company] is cutting costs to say, ‘What are the chances that we’re going to be attacked? Let’s save the money and put it into something that yields a more immediate return on investment.’ The problem is, that was exactly the attitude that a lot of financial institutions took a couple of years ago. Now, they are digging themselves out of very deep holes in very unhappy circumstances,” Chertoff notes. “Companies that do not take seriously their responsibility to protect themselves, their employees and their assets—and also others who rely on them—are playing with fire. They’re gambling that they are not going to wind up with a catastrophic problem in which they not only imperil their business, but they also may actually face liability.”