Homeland Security Threats, Solutions Become More Diverse

January 2009
By Robert K. Ackerman
E-mail About the Author

 
A U.S. vehicle patrols a stretch of border fence in Arizona where a border patrol official was killed by drug traffickers. The Department of Homeland Security is wary of the indiscriminate violence plaguing Mexican civilians spilling over into the United States.
Malefactors expand into new challenges and venues.

The threat to the U.S. homeland is more varied than when the Department of Homeland Security was founded in the wake of the September 11, 2001, attacks, according to the department’s outgoing secretary. While the group that launched the attack remains a primary issue, other organizations have emerged as potential malefactors to the U.S. homeland. And, the possibility of an attack on the homeland using weapons of mass destruction still is a major concern.

During this period, the threat has evolved to include both new players and new tactics. Terrorists and organized crime are becoming more alike in their methods and goals. The exponential growth of cyberspace has increased the threat from actions in it, and that threat now may come embedded in hardware built in foreign countries. The information age itself could be a target via the economy that it spawned.

Michael Chertoff, the secretary of homeland security, aims for a realistic assessment of the threat to the homeland. In a SIGNAL Magazine interview, Chertoff outlined the broad spectrum of threats to U.S. homeland security while warning against both overreaction and complacency.

“Homeland security is not a subject about which we ought to be hysterical or obsessed with, but it also is not a subject that we can feel has passed us by—‘we haven’t been attacked for seven years, there is no big deal here, let’s turn our attention to something else and forget this,’” Chertoff warns. “If there is any lesson that the ongoing financial crisis brings for homeland security, it is that not paying attention to risks when they are distant creates huge problems when the risks materialize.

“We don’t live in a world where we can afford to do one thing at a time,” he continues. “It’s very important to fix the economy, but that’s not a reason to divert our attention from the need to also continue to protect our families, our lives and our economic system.”

He notes that the cascading effects of terrorism run from loss of life to significant economic consequences. Taken with the crisis afflicting the global economic system, a terrorist attack today could have a severely deleterious effect on the economy. And, there are many players who could wreak that kind of havoc.

Al-Qaida remains a serious threat in that it is focusing on carrying out attacks against U.S. interests at home and abroad. It does not limit its targets to Americans, as it continues to threaten others in Europe and Asia, including Muslims. The terrorist group’s capabilities were degraded when it was forced out of Afghanistan, Chertoff points out. However, it has reconstituted to some extent in the border region with Pakistan and in other areas such as Yemen, Somalia and North Africa, where it has merged with existing local groups.

“And, if we relent, that threat can easily rise up again,” he declares.

But while al-Qaida remains a threat from a strategic standpoint, other threats loom as concerns to U.S. security experts. Hezbollah has not attacked Americans in recent years, but it has in the past and it has grown stronger over the years. And, it is increasing its footprint in several regions of the world, including the Western Hemisphere. Always a capable terrorist organization, Hezbollah is supported by Iran, and it has conducted fundraising in the United States—the government did prosecute a case involving Hezbollah smuggling cigarettes in North Carolina. Chertoff emphasizes that it has not undertaken any activities against the United States in the U.S. homeland, but it remains a threat “that we are mindful of. Where you finance, you could also operate,” he observes. “They are a very capable organization, and they could become a real danger if they were to decide that now was the time for it to carry out an attack against the United States.”

Other groups are emerging from unlikely backgrounds. The Colombian rebel group FARC, despite having suffered significant recent setbacks, is an example of transnational groups that defy traditional characterizations. FARC combined political goals with conventional criminal activities such as smuggling and extortion to become a hemispheric threat.

Less political groups such as MS-13 largely have based their actions on criminal activities, but they pose a security threat as well. Chertoff allows that he has not yet seen criminal groups migrating to political activities, but sooner or later one of these groups will opt to develop a political philosophy to rationalize their activities. “It’s just too easy to do and too tempting in terms of making yourself bigger than life,” he notes. “It also pays benefits because if you can corrupt or weaken governments, you actually can leverage your criminality. There is a certain amount of convergence between governmental corruption and transnational criminality that can come from both ends.”

And criminal activities along the U.S. southern border are beginning to enter the realm of terrorism. Chertoff cites the indiscriminate violence against innocent civilians in the border regions in Mexico. While this violence has not spilled over into the United States to any significant measure, the intimidation of the local population is taking on a tactical nature. “It is something that we are mindful of in terms of what we do on the southern border in terms of addressing any spike in violence that might come across and impact us on our side of the border,” he says.

While FARC’s effectiveness has been reduced substantially, Chertoff warns of other Western Hemisphere nations whose leaders are strongly anti-American. “There is always the danger that they will lend support to groups like the FARC or similar as a way of interfering with American interests,” he points out.

The greatest risk remains a weapon of mass destruction—nuclear, biological or radiological. Chertoff emphasizes that he does not believe that these threats are imminent, but the possibility of their use is not completely remote. He points out that the United States already has suffered a biological terrorism attack—the anthrax mailings in 2001. “Building and investing a capability to prevent or mitigate that type of attack is, to me, the most important priority for the department and for the country as it relates to homeland security,” he declares. “And we don’t have time to waste.”

Chertoff says the United States must continue to build a capability for detecting radioactive material. The country currently scans virtually every incoming cargo container, and the department has initiated a process to provide that same capability for private aviation entering the United States. If this effort continues to fruition, it will plug an important vulnerability, he warrants.

 “Not paying attention to risks when they are distant creates huge problems when the risks materialize.”
                                                                 —Michael Chertoff, Secretary of Homeland Security

Congress has mandated that by 2012, every container destined for the United States must be scanned at its overseas port of departure, Chertoff notes, but this is not an easily attained goal. The United States is moving ahead on that goal in some countries, but not all countries are of the same mind. “I think 100 percent is not a practical goal,” Chertoff declares. “Suppose another country says ‘no,’” he offers. “Some can’t because they lack the physical architecture; the port won’t allow it. Some won’t because they choose not to; they don’t want to bear the expense or they don’t want to get involved in having our enforcement people on their soil. What are you going to do?”

This goal has a loophole: a future Homeland Security secretary in 2012 can extend that deadline. Chertoff believes that a future secretary will need to ask Congress to change that law.

The department also is striving to secure radioactive material in the homeland, particularly that used or held in medical and industrial facilities. Theft is the main worry here. To prevent or mitigate a biological attack, the department is stockpiling treatments, Chertoff points out. Part of that equation is to ensure that these treatments can be moved out to where they can be more readily accessible by the general public quickly.

In addition to the physical realm, cyberspace is threatened by terrorism. Chertoff notes that the country has been plagued for some time by cyberattacks ranging from nuisances to sophisticated onslaughts. These include exfiltration of information, denial of service and corruption of databases, to name a few. With most information assets in private hands, networking extends vulnerabilities across the spectrum.

“A network only is as strong as its weakest node,” he observes. “We have a lot of nodes, and often the security efforts we undertake are inconsistent with the fluidity in the open architecture of the Internet. So, the question is how do you devise a system that will incentivize people to protect their own systems if they’re networked—and how do we enable them to do that in a way that doesn’t compromise some of the most sensitive kinds of techniques that we’ve developed?”

The new national cyberstrategy is designed to focus on that, he adds. Many techniques the government employs for cyberdefense are extremely sensitive, so the difficulty lies in providing them without enabling enemies to reverse-engineer them to their own advantage.

But another threat lies in the very nature of commercial off-the-shelf software and hardware—the potential for trapdoors or Trojan horses. Many information technology systems include components that are manufactured by subcontractors in foreign countries where the customer has little control over processes and personnel. Chertoff cites how financial data in Western Europe was stolen by malware embedded in a chip in an automated teller machine. In this global economic environment, companies must find a way to ensure that they can validate their hardware and software. This is a big challenge, Chertoff adds.

“How do you make sure, in a global environment, that you are not acquiring systems that have that kind of a defect in them?” he asks. “How does that interact with global trade, and who vets it? That is going to increasingly become a problem. In some ways, it’s the high-tech version of how you know what is in the [imported] food you’re getting.”

Solving this problem will require overcoming a host of issues ranging from regulation to trade protectionism. Chertoff expresses that he is cautious about the idea of establishing a government program that validates the quality of what goes into hardware and software. Ultimately, he believes, this form of verification may become a new line of business. “The issue of quality assurance is the biggest challenge in a global environment,” he declares.

Embedded malware could become the tool of choice for organized crime or foreign organizations, including intelligence agencies. Foreign espionage could benefit from data rerouted to an overseas government by an innocuous chip in a network. Or, a denial-of-service attack could be triggered by a chip that uses embedded malware to generate hordes of messages. Chertoff will not comment on whether the United States has seen evidence of these types of attacks from foreign governments.

The worst type of attack would be a denial or corruption of service, Chertoff says. For example, if a cyberattack changed the figures in the financial sector, the effect would be substantial. People no longer would trust the financial sector to maintain the integrity of their accounts. “If people doubt the value of what they have, that causes transactional crisis,” he states. “Imagine if a financial institution could not verify accounts. You don’t have to hit everybody to create the crisis of confidence.”

Sometimes the best solution is nontechnical in nature, he adds. For example, merely printing out backups of vital documents guarantees that their electronic destruction does not completely eliminate their data. Similar solutions may reduce the effects of high-technology vulnerabilities.

Chertoff notes that the department is conducting a lot of planning with state and local governments to respond to many disaster scenarios, whether natural or human-driven. He does cite the need to maintain and repair infrastructure that, if it fails, would provide a catastrophic multiplier effect to a natural disaster.

He calls for a public-private partnership to solve many of the homeland security challenges facing the nation. Government’s role should be that of a standard-setter rather than an overseer.

“Some people believe that the government ought to do everything itself—everything ought to be guarded by the government, the government ought to micromanage every business,” he relates. “That would be a horrendously expensive and not particularly effective way of securing the homeland.

“On the other hand, while most companies and businesses are responsible about securing their activities and their employees, sometimes they don’t internalize the cost of failures that might relate to other people who would be impacted by a failure,” Chertoff continues. “There may be a tendency to underspend or underprotect, particularly for those businesses that are in the center of a network of interdependencies.

“It’s like the person who decides not to get insurance because it’s an expense,” he analogizes. “Insurance is an expense until it winds up paying for a disaster. I’ve seen that with terrorism; I’ve seen that with hurricanes; I’ve seen it with the financial system—it’s what financial people call ‘the fat tail of risk.’ That high consequence and low probability of risk is the thing that you can’t lose sight of, and we have learned that lesson again and again over the past 10 years, and we’re going to keep learning it—and that is why we must keep investing in these security issues.”

Chertoff believes that government has a role to play in setting performance standards and requirements. These would ensure that no business would misjudge its vulnerability in a way that would cause many other businesses to fail as well. “The public-private partnership is about our setting standards for what you need to do, giving the private sector the ability to meet the standards in different ways, and then ultimately our willingness to prod those laggards who don’t come up to snuff,” he concludes.

“It’s really tempting when [a company] is cutting costs to say, ‘What are the chances that we’re going to be attacked? Let’s save the money and put it into something that yields a more immediate return on investment.’ The problem is, that was exactly the attitude that a lot of financial institutions took a couple of years ago. Now, they are digging themselves out of very deep holes in very unhappy circumstances,” Chertoff notes. “Companies that do not take seriously their responsibility to protect themselves, their employees and their assets—and also others who rely on them—are playing with fire. They’re gambling that they are not going to wind up with a catastrophic problem in which they not only imperil their business, but they also may actually face liability.”

 

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.