Security Theater

There’s little downside to being alarmist about terror, so we spend too much on measures that evoke feelings of security without actually improving it.

There's little downside to being alarmist about terror, so we spend too much on measures that evoke feelings of security without actually improving it.

At the time, it seemed reasonable. Richard Reid tried to ignite explosives hidden in his shoe while aboard a December 2001 flight from Paris, so Congress banned butane lighters on planes.

But in retrospect, the costs of the ban outweighed the benefits. Airport retailers had to stop selling lighters. Lighter vendor Zippo Manufacturing Co. laid off more than 100 workers in part because of the prohibition. Transportation Security Administration screeners at one point had to confiscate 30,000 lighters every day, quadrupling the amount of garbage the agency had to dispose of. TSA even had to hire a contractor to help with all the extra trash.

Meanwhile, the security benefit was minimal. Passengers were allowed to bring matches on board planes, so a determined bomber still could ignite explosives. TSA Administrator Kip Hawley later acknowledged that the search for lighters distracted screeners from the much more important task of watching for explosives and bomb components. As of Aug. 4, Hawley announced in late July, the ban will be lifted.

Author and security consultant Bruce Schneier has dubbed such cost-ineffective measures "security theater" because they evoke feelings of security without actually improving it. But it's easy to understand how the lighter ban came to pass. Lawmakers wanted to show voters they were doing something in response to Reid and the Sept. 11 terrorist attacks. Airlines were eager to restore confidence and happy to let the federal government take on the cost and responsibility of baggage screening. Neither had a motivation to argue that shoe bombers did not represent a serious enough threat to aviation to merit the lighter ban, or even to ask the question of whether they posed such a threat. Alarm overpowered reasonable cost-benefit analysis and a measured response.

Welcome to homeland security, where everyone has an incentive to exaggerate threats. A Congress member whose district includes a port has little to lose and much to gain by playing up the potential for container-borne terrorism. A city with a dam talks up the need to protect critical infrastructure. A company selling weapons-detection technology stresses the vulnerability of commercial aviation. A civil servant evaluating homeland security grant applications has an interest in over-estimating dangers that might be addressed by grantees rather than denying funding and risk blame in the event of a disaster.

Each has an incentive to be alarmist. Hardly any of the players has good reason to contemplate terrorism reasonably or to consider threats in terms of probability and finite budget resources. That lonely job falls to the Homeland Security Department, which, four years after its creation, is just beginning to integrate the complicated notion of risk analysis into its work. Most observers credit Homeland Security Secretary Michael Chertoff with talking enough about risk-not just threats-to bring some improvement. But they also say the climate of fear makes it nearly impossible to have a dispassionate discussion about the real threat of terrorism and the response it truly merits.

Overblown

John Mueller suspects he might have become cable news programs' go-to foil on terrorism. The author of Overblown: How Politicians and the Terrorism Industry Inflate National Security Threats, and Why We Believe Them (Free Press, 2006) thinks America has overreacted. The greatly exaggerated threat of terrorism, he says, has cost the country far more than terrorist attacks ever did.

Watching his Sept. 12, 2006, appearance on Fox & Friends is unintentionally hilarious. Mueller calmly and politely asks the hosts to at least consider his thesis. But filled with alarm and urgency, they appear bewildered and exasperated. They speak to Mueller as if he is from another planet and cannot be reasoned with.

That reaction is one measure of the contagion of alarmism. Mueller's book is filled with statistics meant to put terrorism in context. For example, international terrorism annually causes the same number of deaths as drowning in bathtubs or bee stings. It would take a repeat of Sept. 11 every month of the year to make flying as dangerous as driving. Over a lifetime, the chance of being killed by a terrorist is about the same as being struck by a meteor. Mueller's conclusions: An American's risk of dying at the hands of a terrorist is microscopic. The likelihood of another Sept. 11-style attack is nearly nil because it would lack the element of surprise. America can easily absorb the damage from most conceivable attacks. And the suggestion that al Qaeda poses an existential threat to the United States is ridiculous. Mueller's statistics and conclusions are jarring only because they so starkly contradict the widely disseminated and broadly accepted image of terrorism as an urgent and all-encompassing threat.

American reaction to two failed attacks in Britain in June further illustrates our national hysteria. British police found and defused two car bombs before they could be detonated, and two would-be bombers rammed their car into a terminal at Glasgow Airport. Even though no bystanders were hurt and British authorities labeled both episodes failures, the response on American cable television and Capitol Hill was frenzied, frequently emphasizing how many people could have been killed. "The discovery of a deadly car bomb in London today is another harsh reminder that we are in a war against an enemy that will target us anywhere and everywhere," read an e-mailed statement from Sen. Joe Lieberman, I-Conn. "Terrorism is not just a threat. It is a reality, and we must confront and defeat it." The bombs that never detonated were "deadly." Terrorists are "anywhere and everywhere." Even those who believe it is a threat are understating; it's "more than a threat."

Mueller, an Ohio State University political science professor, is more analytical than shrill. Politicians are being politicians, and security businesses are being security businesses, he says. "It's just like selling insurance-you say, 'Your house could burn down.' You don't have an incentive to say, 'Your house will never burn down.' And you're not lying," he says. Social science research suggests that humans tend to glom onto the most alarmist perspective even if they are told how unlikely it is, he adds. We inflate the danger of things we don't control and exaggerate the risk of spectacular events while downplaying the likelihood of common ones. We are more afraid of terrorism than car accidents or street crime, even though the latter are far more common. Statistical outliers like the Sept. 11 terrorist attacks are viewed not as anomalies, but as harbingers of what's to come.

Demystifying Security

Sept. 11 was so dramatic and scary that even suggesting that some of the resulting fear is unjustified seems blasphemous. Indeed, the release in July of a new National Intelligence Estimate and its reports of a resurgent al Qaeda served to renew and stoke those fears. But the point is not that terrorists don't exist, or that terrorist attacks won't happen. It's that the pervasive alarm about terrorism obscures the most important question the nation must grapple with: "What level of protection is enough?" Seeking 100 percent security is quixotic. There always will be some risk, but how much can we live with?

This question remains unanswered because the political climate created by alarmists, however well-intentioned, prevents it from being raised. Those who try are quickly punished. Democratic presidential candidate John Kerry said in 2004 that the goal should be to reduce terrorism to the level of organized crime-a nuisance but not "the focus of our lives." The Bush campaign immediately pounced, calling Kerry "unfit to lead," and he never used such rhetoric again.

The question "How much risk can we live with?" cuts to the heart of homeland security because the answer should guide the way government spends money, the primary tool for fighting terrorism. We simply cannot protect everything, and because budget resources are limited, spending security money protecting one asset means leaving another vulnerable. We must spend effectively and strategically. That means employing sound cost-benefit analyses to reduce risk to manageable levels is the only reasonable goal. Industry has a word for this kind of strategic thinking: risk management.

"Risk management is about playing the odds," writes Schneier in Beyond Fear: Thinking Sensibly About Security in an Uncertain World (Copernicus Books, 2003). "It's figuring out which attacks are worth worrying about and which ones can be ignored. It's spending more resources on the serious attacks and less on the frivolous ones. It's taking a finite security budget and making the best use of it. We do this by looking at the risks, not the threats."

Schneier wants to demystify security for the masses. He rails against the paternalism of politicians and pundits who, he says, purport to have the answers to complex security dilemmas. Schneier, who once implemented security solutions for the Defense Department and has consulted for other governments and financial institutions, says there are no right answers. Security is all about trade-offs, and anyone can make those judgments.

'Peanut Butter' Spending

DHS has received $130 billion in budget authority since 2001 and that certainly buys more security. But more security does not necessarily make the country more secure. How much risk has that $130 billion bought down? No one knows because DHS has neither a long-term, risk-based strategic plan nor a comprehensive way of measuring risk reduction. Mueller, Schneier and many others suggest that politics, not risk, determines how the department spends money. It's not the politics of insider contracts and influence peddling, but the need to be seen as responding somehow to bad news while at the same time not knowing which reaction, if any, is appropriate.

Examples of questionable priorities abound. Intelligence and warning capabilities are less visible than detectors and other more high-profile security measures, but nearly everyone agrees they are vital to counterterrorism. Yet such programs account for less than 1 percent of government spending on homeland security, according to the Congressional Research Service.

Veronique de Rugy, a fellow at the American Enterprise Institute for Public Policy Research and a visiting scholar at George Mason University's Mercatus Center, has studied DHS' budget extensively. She points out that TSA will have spent more than $14.7 billion in five years screening airline passengers when it could have reduced most of the risk with a single measure that will cost only $100 million over 10 years: reinforcing cockpit doors. A would-be hijacker's options are severely limited if the cockpit is inaccessible.

De Rugy sees significant problems in DHS grant programs. By the end of fiscal 2008, DHS will have given $12 billion in grants to state and local governments without a way to measure whether the investment has reduced the risk of terrorism. In particular, de Rugy faults congressional requirements that originally guaranteed each state a minimum allotment. Instead, DHS should be focusing on a few high-risk areas, she says. "They think 'If we do something about it, no matter what [good it does], then we can claim we're on top of everything,' which is exactly the opposite," says de Rugy. "If you're spread really thin, you're not achieving anything."

Chertoff refers to this as "spreading the money around like peanut butter on a piece of bread, with everybody getting a little bit." He opposes it. In his first major address as secretary in March 2005, Chertoff said DHS actions should be dictated by risk, not by threats, even though threats capture the focus and imagination of the public and media. "A terrorist attack on the two-lane bridge down the street from my house is bad, but has a relatively low consequence compared to an attack on the Golden Gate Bridge," he said.

The secretary's influence is visible in homeland security grant programs. At first, the department crudely calculated risk by using population as a proxy. Later, figures for the extent of threat and the presence of critical infrastructure were added to the equation. Chertoff introduced a new equation: Risk is equal to threat times vulnerability times consequence.

For the first time, DHS is considering probabilities in the calculations that drive grants and other security investments.

And after the department's controversial Urban Areas Security Initiative grants ignited a firestorm last year, officials refined the program. Applicants now must submit an investment justification for the funds they are requesting. The list of critical infrastructure considered when calculating a city's risk now has only 2,100 facilities-mostly dams, power plants and other significant structures, according to Chertoff. (The fiscal 2006 list, mocked for including a popcorn factory and a hot dog stand, included 200,000 assets.) And perhaps most significantly, DHS now rates all parts of the country as equally vulnerable to attack. Thus, the likely consequences of an attack account for 80 out of 100 "risk points," making that the predominant factor in choosing where to allocate $746 million. The other 20 points are determined by threat analyses.

Risk Simulator

Risk management long has been used in the finance, insurance and engineering fields. But applying it to counterterrorism is much more difficult because uncertainty about terrorists' intent and capabilities requires some guesswork. Chertoff gets credit for elevating the concept of risk, but even his backers say the department has a long way to go. "I applaud him; he introduced the idea of risk and it has caught on," says Randy Beardsworth, formerly DHS' assistant secretary for strategic plans. "But it's caught on at the 101 level. We need to move to the graduate level-the 501." This is where risk gets more complicated. Beardsworth says the government is much better comparing risk at the tactical level-one nuclear plant versus another-than at the strategic level. Is there more risk associated with air travel or mass transit, for instance?

Before leaving DHS in September, Beardsworth was leading a working group to develop a strategic risk tool for Chertoff. The tool would allow him to compare the risk reduction impact of different programs. In one case, DHS could spend millions more dollars and still not lower the risk appreciably. In another case, a small additional investment would reduce risk substantially. In short, the DHS secretary could articulate clear and understandable reasons for making investments. "The cynics will say it's all politics," Beardsworth says. "But as a career guy, I really don't care. This is the right way to look at how to spend money in the homeland security world."

Beardsworth says work on the tool stalled after he left. It seems to have been picked up by the new Risk Management and Analysis Office in the Directorate for National Protection and Programs created last year. That office began functioning in April, the first time a single entity has collected risk information departmentwide. Its first tasks are cataloging the risk management methodologies DHS component agencies use and developing a single set of common principles.

"It'd be a nice, neat area to say there's only one [risk] formula," says Tina Gabbrielli, acting director of the Risk Management and Analysis Office. "If that were the case, I'd have a pretty easy job. What I learned quickly is that when it comes to risk and risk analysis methodologies, one size does not fit all." The long-term goal is to allow the DHS secretary to know, for instance, how the department can best reduce risk over the next five years. But Gabbrielli admits that capability is a long way off.

The level of difficulty becomes clear when considering actual applications-transportation systems, for example. Does an improvement in an airport's weapons screening technology really buy down any risk? Or does it simply shift risk, pushing the terrorist to find a way around checkpoints, such as an employee entrance. Does outfitting commercial jets with systems to defend against shoulder-fired missiles-which could cost as much as $1 million per plane-reduce the risk of attack or simply motivate the terrorist to aim his missile at another target?

This is where a new risk management analysis tool comes in. TSA issued a solicitation in late June for a computer simulator that would measure the effectiveness, in terms of risk reduction, of various aviation countermeasures. The simulator would use terrorist teams and government teams and would test multiple defense systems to find the most effective sequence of countermeasures.

The problem, de Rugy points out, is that even though DHS is making progress implementing risk management, more terrorist attacks likely will occur. And when they do, the alarm bells will ring, making it nearly impossible to honestly debate security priorities. "Even if it's, like, 50 people being killed, which is horrible, it's very likely it's something not worth investing billions of dollars," she says. "And who's going to be saying that?"

NEXT STORY: Power Play

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.