Friday, December 31, 2010

Authority, Uniforms, and Crisis

On October 21, 2010, a man named Piggee apparently torched the Galleria shopping mall in Roseville, CA, setting ablaze an as yet unextinguished fire over who was responsible for causing sprinklers to be deactivated. The theory offered up at the time was that the arsonist could have had an improvised explosive or an accomplice with him and that turning on the sprinklers could have impeded law enforcement's use of a robot that was to be used to deactivate the bomb. In the 70-minute self-inflicted wound arising from intentional deactivation of the sprinklers, the fire raged through the premises, ultimately causing an estimated $55 million in damage. Meanwhile, the controversy made worse with bureaucratic blame-dodging is this: who is really responsible for the sprinkler deactivation order?

So far, the identified agent of deactivation is an unnamed maintenance worker acting on the orders of police. However, law enforcement denies giving such an order. News accounts also mention a UPS driver as a possible witness and even hint that security guards may have something to say beyond their predictable lament that a shortage of security guards no doubt contributed to the catastrophe. Could there be a trace element of truth in all this apparent dodging? Perhaps.

In times of crisis, people turn to visible signs of authority, and few cues announce authority as convincingly as a purposeful order from someone in uniform. Thus a nurse wearing a uniform in the immediate aftermath of a Northridge earthquake is more likely to have her orders followed by passersby than a four-star general wearing a golf shirt. It is just the way things are.

Under the circumstances, then, it is within the realm of the conceivable that a uniformed janitor, guard, maintenance worker, or even police officer speaking with authority could very well have issued the command that hindsight now judges to have been ill-advised. Systemically, the problem is not so much with the bad call -- although there should be consequences for it -- as for the lack of accountability and, by extension, an implicit insulation against learning from such mistakes. Another problem is that anyone in uniform of any kind with enough experience of crisis to realize what power the uniform may carry with it should also demonstrate a corresponding sense of what responsibility goes with that power. If you think you can tell people what to do by virtue of your attire and some command presence, then you both you and your employer should be responsible and courageous enough to own up to your bad calls, to take credit not only for the sunshine but also for the rain. That such an admission of responsibility has not surfaced two months after the fact is troubling. It suggests that someone or some organization -- or both -- remain oblivious to a lesson that even a nodding acquaintance with Watergate should have taught them. It is not necessarily so much the error that results in your undoing. It is the cover-up.

Sooner or later, independent investigation bolstered by sworn testimony will make some bureaucrat regret not having made an early admission of responsibility in this matter.

-- Nick Catrantzos

Monday, December 20, 2010

Security and Time

In time, all security measures grow obsolete. The cavalry falls before the Panzer, the spear finds more space in museums than rifle racks, and the shoulder-fired missile makes short work of a biplane’s twin machine guns. Moats and ignited oil poured over the parapet offer little defense against precision-guided bombs or cruise missiles. As the means of successful attack change, so too must defenses adapt. Yet here we are, both attackers and defenders, ostensibly concentrating our adaptive skills into focusing on degree of attack and defense. Attackers seem to continue to concentrate on commercial airplanes as key targets, with innovation apparently limited to means of smuggling more exotic bombs that will elude detection. Similarly, defenders focus their resources on detection technology and increasingly more technologically invasive inspections at control points. Is this wise?

It certainly may be, for the attacker. A relatively modest investment in occasional aviation attacks – no matter how ham-handed or unsuccessful – does appear to consistently spawn more costly expenditure at the security screening point. The cost to defenders is not only in the expense associated with fielding and training screeners to use the latest equipment. An arguably greater cost comes in the form of alienating the constituency the screeners exist to defend. This, in turn, opens the door to new vulnerabilities and erosion of the kind of voluntary compliance at the heart of most effective security systems. Alienate enough passengers, and you will no longer find them engaging productively to report suspicious characters or take any part in what they perceive to be a supporting role for an unthinking bureaucracy.

Meanwhile, as this erosion of support accelerates further with each periodic aviation security scare, what is an attacker to do? Hatch the next plot and fine tune new tactics. Mumbai offers an example. After the attack’s devastation is over, residual dividends come from whispers of another such attack about to occur somewhere else. So now the European travel and hotel industries can look forward to decline in business thanks to November scares hinting at an imminent attack of the Mumbai variety that was to be transplanted to Germany or France.

These are great times for underfunded adversaries and difficult times for inflexible defenders. The former appear to be dictating the latter’s tactics and major investments – a sure signal that the next big surprise attack will not so much be inconceivable as just not addressed in time to limit the attending devastation.

FOOTNOTE: One day after the foregoing, the Washington Post presented this article questioning TSA's impetuous embrace of technology as panacea:

http://mobile.washingtonpost.com/c.jsp?item=http%3a%2f%2fwww.washingtonpost.com%2fwp-syndication%2farticle%2f2010%2f12%2f20%2fAR2010122005599_mobile.xml&cid=578815

-- Nick Catrantzos

Tuesday, November 30, 2010

Armor’s Slave

There are times when security fears and the measures they spawn take a debate too quickly into how instead of whether. Such an occasion is captured in Philip Kennicott’s Washington Post article, “Monument protection presents a monumental security issue.” (Available at http://mobile.washingtonpost.com/c.jsp?item=http%3a%2f%2fwww.washingtonpost.com%2fwp-syndication%2farticle%2f2010%2f11%2f07%2fAR2010110704572_mobile.xml&cid=578815&page=6) It may as well be called monumental protection without commensurate security.

The article presents a mad ramble and hodgepodge of ideas driven by little more than subjective, look-and-feel aesthetics. This is the how debate, i.e., how to defend something symbolic through measures like access tunnels that soon grow out of all proportion to their cost and object served. Nevertheless, it also raises, in muted falsetto, the oft-ignored option of closing public access to a viewing platform that has long since lost its allure and distinction. This is the whether debate, i.e., whether it still makes sense to keep some things accessible to the public at all costs. Historical context informs this debate. There was a time when climbing the Washington Monument from within afforded the tourist a commanding view from a height inaccessible to the average citizen. The age of skyscrapers has eclipsed this thrill, however. There was also a time when concerns of safety for tourists and accessibility for disabled persons would not factor into design of such attractions. Nor was it then conceivable that such platforms could serve as perches for snipers or targets for terrorists. Those times are gone.

The whether debate needs to be revisited before going too far into the how debate. Security is always a tradeoff, since total protection would mean zero access. Intelligently addressing questions of whether it makes sense to sustain a level of public access to the point of imposing draconian security measures is an excellent management and security discussion to have before allocating protective resources. It also recalls Robert Browning’s observation: A man in armor is his armor’s slave. In this case, over protection becomes self defeating.

-- Nick Catrantzos

Tuesday, November 23, 2010

Channel Checks, Insider Mischief, or Both?

The financial services industry gave us the term insider trading to label the illicit practice of breaching fiduciary responsibilities to benefit financially from ethical lapses. Now it adds another term to a related lexicon. “Channel checks” are to insider trading scenarios what independent research is to espionage. They represent a legitimate monitoring of indicators which theoretically yield the kind of indicators that should signal the likelihood of important activities without compromising the same activities by betraying confidences. Think of them as the equivalent of inferring a major military action is being planned because pizza orders from Domino’s have quadrupled at the Pentagon on a given night – a sure sign that people are working into the wee hours. Channel checks involve research focusing on logistics chains to uncover what high tech company is on the verge of ramping up or slowing down a major production effort. In theory, with enough of this kind of visibility into supply chains, anyone who understands the manufacturing end of a given business would be able to infer when a firm is getting ready for a new product launch or sizable venture. At least, this is the plausible explanation offered by a research consultant and adviser to investors in technology companies. Why is this explanation necessary?

The FBI descended upon such an adviser, accusing him of insider trading and allegedly attempting to use the specter of imminent prosecution to compel the adviser to turn informant against a bigger target. Details are in Wall Street Journal reporter Susan Pulliam’s November 21 article, “FBI visit exposes trade-probe tactics” (available at http://online.wsj.com/article/SB10001424052748703567304575629061523575940.html).

What did the consulting adviser do under the circumstances? He explained that he makes his living channel checking, not insider trading. Then, instead of cooperating as an informant, he fired off a broadcast e-mail alerting his clients of his circumstances. While he claimed he was honor-bound to do this, the action also foreclosed his viability in his chosen field. No client is now making contact with him, out of fear that this 50-something consultant will have his communications intercepted by the FBI even if they are above-board. Who wants to seek out even a cameo appearance in a federal investigation and trial that would likely mean the kind of lost productive time that is anathema to entrepreneurs? Worse still, what if the same entrepreneurs recognize their own fallibility and concede that they do not want their unguarded speech making a media debut as the result of a federal wiretap?

There is another facet to this event that goes beyond speculation on whether the activity under scrutiny exemplifies illicit insider trading or scrupulous channel checking. What is it? It is the flowering of a cover story that can be tailored and embroidered to mask insider trading in the future. Henceforth, if this is not happening already, the most flagrant of insider traders can spend a little attention to clipping news articles and gathering odd bits of information after the fact to store in a Pearl Harbor file calculated to make the case that he was brilliantly analytical, not crooked, when he drew the identical conclusion that only an insider would be able to do in the past.

-- Nick Catrantzos

Saturday, October 30, 2010

When Chemistry and Law Collude

It is sometimes possible to give creativity its due, even when one takes issue with its results. Thus, when a 49-year-old Scot turns from crack addict to designer drug entrepreneur with the help of a pharmacologist, he merits a certain grudging acknowledgement for shrewdness in staying out of jail by selling drugs that are not yet illegal.

What does he do? He synthesizes drug knock-offs that are not technically illegal yet produce effects drug buyers desire. Evidently, Belgium offers an attractive base of operations for his business, according to the Wall Street Journal (http://online.wsj.com/article/SB10001424052748704763904575550200845267526.html?mod=WSJ_hpp_editorsPicks_3) Thus, it is the likes of David Llewellyn we have to thank for expanding the lexicon of recreational drugs with street names like Meow Meow and Nopaine. Indeed, Llewellyn boasts that Nopaine, a modified version of the attention-deficit drug Ritalin, serves as a working substitute for cocaine in its look and feel. Meow Meow, on the other hand, also known as Mephedrone, M-cat, and Drone, is an amphetamine surrogate.

Why Belgium? Evidently, Europe in general is a more friendly incubator for designer drugs because authorities lack the wherewithal to ban them or interdict their legal distribution before their purveyors realize substantial profits. Next stop? The United States – at least, for the gray area-drugs that can attract customers and outpace law enforcement.

Still, innovation in one area often inspires innovation in another. What are the Belgians doing to counter Llewellyn’s innovative synthesis of chemistry, legal hair splitting, and drug pushing? They are using different laws to shut him down, raiding his facilities on the basis of environmental law infractions and confiscating laboratory equipment for which he lacks the proper professional license. Who says bureaucracy cannot occasionally offer value elsewhere unavailable? Bravo, Belgium, for seeing to it that chemistry and law not only collude but collide.

-- Nick Catrantzos

Friday, October 29, 2010

Curse of the Indelicate Obvious

There is a modern curse more deadly to the secure enterprise than a squadron of scoundrels. What is it? The curse of the indelicate obvious, or the intentional denial of blatant indicators that something is amiss, for fear of running afoul of some perceived standard or arbiter of unfairness. Common sense is a great boon to protection, and it is a mistake to dismiss it out of fear of defamation suits or grievances. Consider: Should a financial institution hire into a position of trust someone whose personal credit is in disarray or who was previously convicted of fraud? Common sense says no. But moral outrage expressed by the applicant’s champions could easily browbeat the faint of heart into negating this reasonable protective decision.

Similarly, a wise employer realizes that it is generally a good idea to avoid hiring people whose behavior indicates that they treat the workplace as a platform for self-expression at employer expense. What are the clues? Blogs and social media postings highlighting indiscretions or even boasting about converting employer assets to personal gain or about threatening bosses with intimidation tactics or even physical harm.

While the front-line supervisor knows that ignoring such signs means paying for them later in lost productivity or work team disruptions, support staff often present a different perspective. Theirs is the world of hierarchical harmony and avoidance of legal, public relations, and reputational risk – all worthy objectives. However, one may as well fall flat on his face as bend over too far backwards. In their eagerness to avoid bad press or unpopular contests, these staff advisers tend to counsel too much caution, advising that no line manager ever act on any clues other than what exists in a given box of the job application. This is what John Steinbeck would have called the kind of smartness that cuts its own throat.

The solution? Don’t over rely on imperfect indicators like gut feel and questionable signs of irresponsibility, but don’t ignore them altogether either. Instead, use them to trigger a supplemental probe. Even if your staff advisers tell you that you cannot base a hiring decision on overabundance of body piercings or blatant indicators of irresponsibility, you can at least schedule a follow-up interview to ask questions and draw a person out. At the very least, ask. Offer the candidate some scenarios that compel choosing a course of action consistent with future job responsibilities. You might be surprised how often people admit to misdeeds or give themselves away through behavioral leakage – if you just give them a chance.

For more along these lines, see “Defending Against the Threat of Insider Financial Crime,” on page 17 of a recent issue of Frontline Security (at http://www.frontline-security.org/publications/10_SEC2_Money.php).

-- Nick Catrantzos

Tuesday, October 5, 2010

Lost Billions a Footnote?

Jerome Kerviel is now being sentenced for what briefly ranked him among the most infamous of ethically challenged traders. A few years ago, when he was caught, investigators attributed billions in losses to his gunslinger risk-taking with other people's money. Speculation in trading circles indicated the attending scandal could mean the end for Kerviel's employer, Societe Generale. After all, lesser yet similar financial malpractice ruined the venerable Barclay's less that a decade before. What is Kerveil's fate today?

Three years in jail and an order that he pay restitution to the tune of 7 billion euros, according to the BBC (http://www.bbc.co.uk/news/mobile/business-11474077).

Ah, here we see a clear sign of the power of inflation to turn yesterday's gasp into today's yawn. Evidently, as the BBC article concludes, what Kerviel gambled and lost is rounding error compared to the hundreds of billions lost in the American subprime mortgage market. Thus, at least in France, there appears to linger a perception that America can still outperform Europe.

It is interesting that the court finding Kerveil guilty absolved his employer of any responsibility for fostering a no-holds-barred, don't ask don't tell arena -- as long as the financial trades were yielding profits. It does seem Societe Generale will not escape paying some fines for failures of due diligence, i.e., for failing to institute reasonable checks to limit the impact of unreasonable actions. Unlike Barclay's, however, Societe Generale shows every sign of emerging intact from the catastrophic loss and scandal.

Why? Is it because the French are more forgiving that the British? Or is it because an accident of fate just happened to bring out so many financial misdeeds to public attention around the same time that Kerveil's misdeeds faded away by contrast? Lesson for malefactors: If you must sin, do try to time it so that other sinners are acting more prominently at the same time. It will lessen not only perceived villainy but also your punishment. Could a book deal be far behind?

-- Nick Catrantzos

Sunday, September 26, 2010

Siemens Cyber Infection and Revenge

A year ago, Iran's sans culottes saw their Prague Spring dissolve under the clouds of authoritarian might as sanctioned enforcers bulldozed disaffected voters into political silence. For a brief moment, technology seemed to offer a secret weapon to counter state silencers. Twitter enabled angry commoners to assemble en masse before government crowd busters could deploy storm troopers to stop them. Eventually, though, the protests faded. Protest leaders died, disappeared, or were hunted down for imprisonment, beatings, or worse.

Somewhere, as this story unfolded, the Wall Street Journal and other news organs reported that Siemens had supplied Iran with the means of tracking and monitoring telecommunications, like those annoying text and Twitter messages so important for protesting citizens involved in organizing marches and demonstrations.

Isn't it interesting that this year now finds the Iranian government frustrated by the Stuxnet worm targeting another Siemens product? The product, in this case, is Siemens' supervisory control and data acquisition (SCADA) system for Iran's nuclear power facility. While this cyber malware is sophisticated to the point of speculation of state sponsorship, could there be another facet to this attack? Could it be that some disaffected citizen who lost a loved one in last year's protest crackdowns had the sophistication and motivation to strike back not only at the Iranian government but also at a contractor who provided that government with tools to undermine popular resistance? Is there an element of revenge in play, one wonders?

-- Nick Catrantzos

Friday, September 17, 2010

Inquisitive Arts Score Win

It is amazing what people will divulge if someone takes the time to get and keep them talking. The art in transforming conversation into investigative technique comes from guiding interviews to the point of facilitating admissions. This, in turn, requires creating opportunities for interviewees to reveal where they are being deceptive. This, in turn, requires the interviewing investigator to shut up. After all, as studies have shown, the average length of time it takes before a detective interrupts an interviewee is 8 seconds (Rebecca Milne & Ray Bull, 1988. Investigative Interviewing. Chichester: John Wiley & Sons).

Someone in Vancouver, Washington, must have taken the foregoing lessons to heart when local detectives announced yesterday that Bethany Storro threw acid on her own face on August 30, instead of being the victim of a random attacker. As details trickle out through the media, talk about splash patterns and a search of Ms. Storro’s residence may imply that forensic evidence broke the case. Perhaps. But the home search produced no acid, and deriving subtle indicators of deception from acid splash patterns in this case would be like driving around the block to arrive next door. It is much more likely that old fashioned, inquisitive interviewing and zeroing in on inconsistent statements gave Ms. Storro away. What might some of those questions and answers have looked like? (This is my speculation only.)

Q: If you had to theorize, who do you think might have done this?
A: Gee. I really don’t know. [Deceptive. The innocent tend to offer some names. The guilty or deceptive are more inclined not to.]

Q: What do you think should happen to the person who did this?
A: I don’t know. Maybe they need help. I don’t want revenge. [Deceptive. Storro did advance an avowed, Christian message along the lines of not seeking revenge. The innocent tend to name a harsh punishment. The guilty don’t because this question in effect makes them answer how they feel they should themselves be punished.]

Q: Do you think the person who did this should have a second chance, or rehabilitation?
A: Yes. [Deceptive. Same rationale as above. The innocent stick to harsh punishment.]

Other revealing signs include how Storro structured her story. In a true statement, emotions appear in illogical places because this is how the truthful person remembers them happening. In a deceptive story, every detail supports the narrative and is rehearsed. Thus, Ms. Storro’s initial story most likely suffered from appearing too logical, too tidy. Additionally, most deceptive accounts of events devote an inordinate amount of time to setting the stage and building up to the incident itself. True stories have the bulk of the narrative concentrating on the incident itself with a modest preamble and a modest conclusion.

All a detective or private sector investigator has to do is look, if he or she wants training on how to detect deception. Avinoam Sapir’s Scientific Content Analysis (SCAN) technique is absolutely first-rate for unearthing deception in statements a subject makes, whether in print or in broadcast interviews. Mr. Sapir no doubt would have discerned multiple red flags in the way Ms. Storro talked about the incident from her hospital bed when she got her first exposure to media attention. Wasn’t it interesting, he might have wondered, that she made such a show of Christian forbearance in not seeking out harsh treatment for her alleged attacker? Another handy addition to the investigator’s tool kit would be the Wicklander-Zulawski method of interviewing to detect deception. Indeed, this W-Z technique inspired my foregoing questions and answers.

None of this works, however, if the process excludes the fundamental necessity: an investigator with an inquisitive nature. It takes an inquiring mind to wonder why a woman who claims she never wears sunglasses was wearing them at 7:15 p.m. in the shadow of a city building just in time to mitigate the so-called random acid attack. Well done, Vancouver detectives.

-- Nick Catrantzos

Monday, September 13, 2010

Hype Demonizing the Dead and Troubled

It is hard to conceive a more base hijacking of homeland security than what is now happening between egotistic speculators and yellow journalists eager to stoke a panic over this personal tragedy. (See http://www.google.com/gwt/x?u=http%3A%2F%2Fwww.bostonherald.com/news/regional/view.bg%3Farticleid%3D1281024%26format%3D%26page%3D2%26listingType%3DLoc&wsi=2905647a0c44fc0a&ei=dySOTMDlHJ3SrgPbr5GgAg&wsc=pr&whp=3AarticleFull.)

What happened? A Northwestern University lab tech, apparently distraught over losing her job, took her life using cyanide. To compound the tragedy, though, media reports are now turning an otherwise personal, inward event into hysteria about loose control over cyanide in school labs. Not only is this a callous move that aggravates the circumstances for the suicide's family, it gives rise to ridiculous frenzy. Suicides use what they have at hand. Lock up all the lab chemicals, inventory them daily, and then what? Will you also lock up all the bodies of water to preclude intentional drowning? How about bridges and tall buildings, to bar death by leap from high places?

Some controls may be worth a second look, but turning the troubled, dead woman into a theoretical enabler of terrorist attacks is wildly speculative and insensitive in the extreme. Even the reporter advancing this notion sews the seeds of doubt, however, as the article can't help having one of its expert quotes point out that cyanide of the kind mentioned here is more applicable to attacking small numbers of people. Another quote has a security director opining that the young woman was distraught. It is the reporter, however, who leaps from "distraught" to "disgruntled." This proves how handy the dead can be, since they can neither defend their reputations nor retaliate against hasty accusations. It reflects poorly on reporter and accuser, diminishing credibility of all eager to speculate. One day, they may have a real terrorist threat to announce. That will be precisely the day intended victims will ignore the warning from sources tarnished by crying wolf as they are doing today.



-- Nick Catrantzos
Some

Sunday, September 5, 2010

When Solution Is Not the Problem

It’s you. Sometimes, you must stop blaming the chosen tool for not solving your problem. Sometimes, the fault is your own. It is not how good the tool may be at its theoretical best. It is how good you are with it, how well you use it to solve the problem in your path. You must also start out with the right tool for the job.

Matters of security reflect their ambient surroundings, which infect security challenges with the same tendencies and folly that rage through modern life. Not only does the sound-bite age predispose us to seeking instant answers, it conditions us to seek out the sexy at the expense of the reliable – a peddler’s paradise. Witness, for example, the popular rush to set aside proven business tools in a blind lust for promised elegance and slick functionality. Few illustrations of this tug-of-war surpass the efforts of RIM to market its business tool, the BlackBerry, as a competitor of the iPhone, a device optimized for entertainment. To the business user, it is surreal to see how BlackBerry maker’s RIM is positioning its current advertising campaigns for the Torch. Whom do they showcase? Young, hip, artistic, individual consumers eager to go turbo-networking with their peers. No room for any traditional business people relying on the device to consummate a deal, manage a crisis, or communicate a plan of action to colleague or subordinate from field to office.

What Is Wrong with BlackBerry Today

It isn't the specter of being banned in Dubai or Saudi Arabia for RIM's insufficient groveling to authoritarian pressures to make it easier for these governments to decrypt electronic messages. It isn't only iPhone envy and an inability to compete head-to-head against Apple for web surfing, music playing, trendy applications, or even more trendy stylishness. No. What threaten to plunge BlackBerry into extinction are the self-inflicted wounds of lost identity and a headlong rush to transform a stand-apart business tool into a me-too, never-quite-hip-enough toy. This represents a textbook case of how to dilute and extinguish one’s own, once-formidable brand.

Instead of remembering its core market, the business customer, RIM is courting young, personal smartphone users in its TV ad campaigns. This approach forgets that business users differ from kids. So do their needs. As a business user who managed his employer's first all-BlackBerry-equipped professional staff (none of them techies) I offer these distinctions which continue to make the BlackBerry a tool that trumps the iPhone in the business world — at least for now:

My security staff and I need e-mail, phone, a robust address book that can look up phone numbers from the enterprise server, the ability to take decent but manageably small-size photos that we can e-mail easily, and Note/Memopad capacity that most other smartphones ignore or handle poorly. Strong battery life is also a plus. Because we use the device to transact serious business, we need an adult, QWERTY keyboard that facilitates sending out timely and accurate instructions suitable for board room discussion and even legal or reputational challenge in court. We do not need to mix our business applications with social networking, recorded music, games, TV or video viewing. Nor do we need to send or receive video messages of ourselves that are data-intensive but as vapid as the average teen's texting commentary on world affairs We especially lose our taste for such functions when they begin to crowd out our business applications. Example? The newer BB Curve boasts more iTunes-like functionality and video-taking while removing the flash from its camera. Hip young individuals may applaud this. Business users just shake our heads. I have three iPods, including a Touch. They cannot rival the BlackBerry for business any more than BlackBerry can compete against them for music or video access.

A Tool, Not a Toy

Memo to RIM, stop competing for the casual, high texting, low substance dilettante if you want to retain the professional as your core customer. Apple and its acolytes can't quite reformat for the serious business user. By default they alphabetize address books by first name and, when they grudgingly adding a Notes/Memopad feature, they still bypassed a rational, businesslike ordering of entries alphabetically. Instead, Apple insists on indulging callow, adolescent developer defaults, like ordering notes only by reverse chronological sequence. Great for kids with the attention span of a flashbulb and a planning horizon that stops with Saturday night. Lousy for serious business people who use Notes to carry over 50 procedures and references that they may need to consult when responding to a threat or crisis while fielding a panic call comes in at midnight.

Final Caution: Don't rely exclusively on the techies to chart your course. All specialists sooner or later fall in love with the tools of their trade. The same technologists who push for more and more functionality are the ones who resist design freezes and struggle to come up with final documentation – or final anything. It's always more fun to keep trying something new (the Edsel, New Coke, and Microsoft Vista) than to finish and perfect what they have grown bored with. But the business user needs and desires core functionality that works reliably – not razzle dazzle and the future promise of cool things that take too long to work and offer little practical value in relation to the effort necessary to master and troubleshoot.

For RIM and the serious business user, decide. What business are you in, tool or toy? Who is your customer, the business professional or the budding or overripe adolescent? Their wants and needs are very different, and one may be less forgiving or fault tolerant than the other.

- Nick Catrantzos

Monday, August 23, 2010

Bad Word Choices Fuel DEA Ebonics Controversy

Sometimes the bureaucratic hoop jumping that comes with trying to fill a simple need becomes its own hurdle and curse. The result? The kind of egg-on-the-face reaction that produces the inevitable snickering sure to accompany this article: http://rss.thesmokinggun.com/documents/bizarre/justice-department-seeks-ebonics-experts.

Words mean something, however. And inflating terms to give them greater legitimacy comes with a price. A garbageman is now a sanitation engineer. A dog catcher is an animal control officer (apparently without even working up from private or corporal). And a contractor who must occasionally come up with a way to decipher urban street slang picked up via wiretap is now a "linguist" specializing in "Ebonics." Balderdash.

To say that Ebonics is its own language because it follows a predictable grammar is a deceptive half-truth. Every human utterance recognizable to some fellow human does the same. Descriptive linguistics taught this lesson long ago. But this does not make a slang variation of Standard American English any more a separate language that it would for the halting speech of two-year-olds or immigrants from one country who impart unrecognizable pronunciations to common English words that only their in-group readily comprehends. None of these variations is a separate language. They may qualify as a dialect or a creole or even a pidgin, if one wants to be precise. Nor are its decoders "linguists." They are translators or interpreters.

Somewhere, beneath the controversy, there's a poor DEA agent trying to get the resources to get a necessary job done, and none of this nonsense is helping her. Imagine a DEA field agent trying to get approval to spend, say, $50 to have a streetwise kid of a shopkeeper help interpret some undecipherable passages of a recorded plot. Her boss tells the agent, "No. Go through the system." She then finds herself caught up in red tape and a labor-intensive swirl of contracting processes that force putting out a competitive bid for language translation services that become artificially inflated to the point of being only vaguely connected to the original requirement. The system is validated. Someone makes money on the deal. Meanwhile, the DEA agent has probably dipped into her lunch money to pay for the kid to deliver the needed information in real time in order to thwart a drug deal and accompanying shootout. Somewhere in this process, there is a tail wagging the dog it is supposed to serve.

- Nick Catrantzos

Sunday, August 22, 2010

Filling Voids with Slogans

Just what slogan or mantra sustains the greatest traction within the ranks of our adversaries who crave our annihilation? Death to America must fall flat after a decade or so of chanting.

There was a time when a population such as Romans could be controlled through judicious delivery of bread and circus. Feed them. Amuse them. Expect them to then accept their lot without undue chafing. "Bread and circus" made a reasonable slogan. Yet all tribes and peoples grow restless, to the point that mere survival and sustenance are no longer enough. The French once observed that people need "flowers before bread." If material wealth is insufficient to placate or energize, what is? Contrast, perhaps? Just as gratitude is an antidote to misery, comparing one's lot to that of another, more fortunate contemporary is a surefire stimulator of animosity. The French Revolution had its sans culottes who found in the guillotine a drastic cure to the let-them-eat-cake condescension of the ruling class. What about today's jihobbyists, though, the ones who may not be full-fledged terrorists but may yet travel down that migration path?

We know that their leaders and role models tend to be educated, middle class or wealthier, and relatively better off than their average countryman. So why are they not content to use their brains and status to greater advantage with less risk? Perhaps the materialistic world where even our own economic progress now seems precarious has lost its allure. Their new mantra could well be, "Purpose before comforts."

Something is missing for jihobbyists. They don't quite fit in. They may have advantages, but real or inflated comparisons against those better off still ignite grievances. The shrewd adversary comes upon this situation and interjects resentments and courses of action to fill this vacuum.

There is always someone to resent and some way to declare oneself victimized. The only people who seem to lose their taste for professional victimhood are the ones who have weathered the greatest losses. This may account for why Israelis who have been the most historically exterminated over time do an impressive job of defending their small nation yet have avoided lobbing nuclear weapons at surrounding enemies sworn to their obliteration. Similarly, the Japanese who absorbed the first atomic bombs vary at times in their anti-Western sentiments but, for the most part, take more pride in acting like a modern productive nation than like an aggressive state with an axe to grind. Both nations also operate by popular rule that may be messy, flawed, and invariably contentious. Yet their rivals and detractors tend to be autocratic and more dangerous to their own people as well as their neighbors. North Korea comes to mind as an example.

For all the professionally self-styled victims of the modern world, why do they seem to operate principally by dictatorship and brutality? Where are their versions of Mahatma Gandhi and Martin Luther King? Could it be that the reason they lack such visionaries is that their bile-generating propaganda is bereft of the kinds of ideas that lift their fellows to a level of civilizing influence that shames all opponents? If so, then this is a sign that the jihadists will never quite prevail on their own. If the only way of converting others to their way of thinking is brute force, then they will never win a battle of ideas. The only way they will even come close is if we shut down, withdraw, turn inward, and so enfeeble what is left of our own civilization that we mute our own narrative and history, refusing to engage in that battle of ideas. In this they cannot win. Only we can manage to lose. We lose by abdication, by prolonged absence, by taking no stands, and by fogging mirrors.

- Nick Catrantzos

Sunday, July 25, 2010

Killer Crowd Stampedes

Today’s casualty figures from yesterday’s catastrophic stampede at a German music festival: 19 dead, over 300 injured. A lengthy Daily Mail account of the event includes a video clip and several photographs of the tunnel where panicking attendees squeezed together with suffocating intensity (Ref. 1). One witness even claimed he could see the potential calamity coming some 45 minutes before it happened. Did he really convey anything useful to police at the event, whom he accused of being insensitive to his warning? Doubtful. Any Monday morning quarterback may recast on-scene grousing into dire predictions after the fact. Could the stampede and casualty count have been averted? Absolutely.

Crowd Control

Event security practitioners call it crowd control for a reason. It is not just about signage, ingress, and egress routes – although these are important. Crowds can be innocuous or lethal. Their capacity and intensity vary according to the event and to the immediate circumstances affecting them at different points in time. Crowds change, even at the same event. What started out as a cohesive crowd of tame spectators yesterday ended up turning into an escape mob that rapidly went out of control (Ref. 2). What counts most in crowd control? Leadership.

“Leadership has a profound effect on the intensity and direction of crowd behavior … The first person to give clear orders in an authoritative manner is likely to be followed.” So says the US Army Field Manual on Civil Disturbances (Ref. 3). One of the thorny problems with conveying directions to a crowd at a music festival, however, is being heard. Reporting on yesterday’s event indicated that parts of the crowd were oblivious to ambulance sirens and anguished cries of stampede victims, as amplified music was drowning out other ambient noise. For crowd control, this means that bullhorns and loudspeakers would not have helped yesterday.

Leadership comes in many forms, and it need not necessarily be in commanding crowds to disperse. One of the most important things to do is to keep the crowd moving and, if at all possible, to do this with a light touch (Ref. 4). While this is easier said than done, there is precedent to support that a keen sense of how to avoid chokepoints can keep crowds from becoming stampeding mobs.

Big Event Success Stories

An untrumpeted beneficial demonstration of crowd control came in 1984 from then Chief of the Los Angeles Police Department Daryl Gates. Fearing potential terrorist attacks, a joint task force including the Secret Service and an assortment of federal agencies had converged on Los Angeles to assist with preparations for the Olympic Games. One security product of this collaboration was the introduction of metal detectors through which all spectators were to pass. As lines behind the metal screening points started to grow exponentially, it became evident that the metal detectors threatened to cause more of a problem than they would potentially solve. This was clear to the crowd and to event staff. But no one seemed able to do anything about it – until Chief Gates stepped in and ordered the lines open and the metal detectors shut down – while other officials were still dithering about who had the authority to make that call. As a result, a public relations fiasco and the potential for a stampede were averted. Someone took charge, rapidly assessed conditions, made a tradeoff decision involving chokepoints, and adjusted security and crowd control to make the best of the situation.

Think also of Woodstock, where authorities avoided stampedes by deciding to stop trying to force gate crashers to pay for the iconic, open-air concert once it became clear that attendance had overwhelmed ticket sales.

A Micro-Level Comparison

Years ago, when I was master of ceremonies for an annual event that my service club put on for my community, I found we had grown to the point of having to contract with local law enforcement for a security presence. Experience showed that this was an attractive duty for the cops, who received overtime pay otherwise not available, in addition to free food and all beverages except beer. Past experience also showed, however, that assigned officers had a tendency to congregate and lose themselves in their own conversations when not refeeding, rehydrating, or attending to a call for immediate assistance. So we actually developed a security plan and, when signing the contract for the support our club was paying for, we established fixed and roving security posts as well as regular communication intervals and feedback loops so that police and event organizers worked closely rather than independently. As a result, traffic and crowd control worked flawlessly, even as the annual event started to outgrow its original size and require a larger site and shuttle buses to accommodate attendees.

Lessons for the Germans

Germany is no stranger to public events and crowd control. So the Germans will no doubt arrive at these same lessons as they perform their failure analysis:
• If you are going to use your police force, then assume command and control the crowd.
• Keep the crowd moving.
• Keep the crowd engaged. Communicate with them effectively. This may mean having your officers talk to them as they pass by or, if the music is too loud, then having elevated, electronic signs that you can change as circumstances warrant. Even a flip sign with some different messages that police can hold over head to adjust crowd movements can help.
• Run through multiple scenarios in advance. If you see a dangerous chokepoint, seal it off and set up signs and officers in advance to keep it from turning into a gathering point or attractive nuisance with the potential for becoming a death trap, as the tunnel did yesterday.
• Above all, put in charge someone who has the capacity and judgment to shift priorities and make on-the-spot decisions, like closing off a chokepoint, redirecting traffic, or changing the rules on the fly if this is what it will take to avoid turning a tame crowd into a stampeding mob.

References:
1. http://www.dailymail.co.uk/news/worldnews/article-1297346/Love-Parade-17-crushed-death-80-injured-mass-panic-tunnel.html
2. Jane’s Facility Security Handbook, 2nd Edition, by D.S. Fenn et al, Surrey: Jane’s Information Group, 2006, pp. 277-278.)
3. FM 19-15, Civil Disturbances, 2005, p. 2-2.
4. Event Risk Management and Safety, by P.E. Tarlow, New York: John Wiley & Sons, 2002, pp. 102-103.

Sunday, July 18, 2010

Moral License, Offset, and Human Rascality

Few things in life rival for annoyance the sanctimonious self-satisfaction of the prominently virtuous. In some arenas, such irritating rascals lord over their fellow mortals that they are more ardent church-goers. In others, they avow being more sensitive, more green, more tolerant – of anything other than doubted omniscience – more … you name it. Until today, however, articulating exactly what makes such people so infuriating has been problematic; a useful term with analytical underpinnings has been missing from many lexicons. Certainly it has been absent from mine. Thanks to Michael Rosenwald’s essay in today’s Washington Post, however all that has changed. In “Does being good make us bad?” (http://mobile.washingtonpost.com/c.jsp?item=http%3a%2f%2fwww.washingtonpost.com%2fwp-syndication%2farticle%2f2010%2f07%2f16%2fAR2010071606839_mobile.xml&cid=578815)
Rosenwald breathes life into the term moral license and supplies pointers to an analysis that suggests there remain sound reasons for cutting the cards when dealing with those who make a show of their virtue. Are there lessons for homeland security as well?

We begin with terminology. Moral license is how people rationalize away bad behavior by stacking it up against a past or future reservoir of good behavior. The stacking exercise invariably makes the bad pale in comparison to the good. The net result of this balancing act is that it leaves the ones performing it wearing a mantle of nobility in their own minds, despite the blood stains and bullet holes their reprehensible acts may have produced in the eyes of witnesses. How does this come to pass? Offset (my term, not Rosenwald’s). Adapted from international contracting in the defense business, offsets are legal trade practices between nations, often governed by laws or policies.

Offset is the way a government buying modern technology from a U.S. supplier can afford to do so or to improve its balance of trade by insisting on some form of consideration for the deal that will lessen the buyer’s burden. Sometimes, it can be in terms of co-production, where the American company has to agree that, as part of the deal, the foreign buyer will be allowed to manufacture some particular components at home, which the seller will then buy back or give credit to the buying country by a comparable price reduction. Sometimes it can be more along the lines of agreeing to pay for all or part of what the buyer needs by counter-trade or barter, i.e., by paying not only in cash but in whatever it is that the buyer country has in ample supply, whether it be oil or oranges. Applied to the algebra of moral calculation, however, offset is how we are now seeing people explain away apparent misdeeds or transgressions while trumpeting their nobility with gusto.

Where is this self-conferred moral license apparent? Look no further than the parking lot full of SUVs delivering attendees to an environmental protest. Or look for exercise aficionados unable to resist taking the escalator to their trendy fitness clubs. Yesterday, society would have branded them hypocrites or half-hearted believers in their stated objectives. Today, thanks to moral license, they can stray but hold their heads high. After all, they rationalize, is it not enough to promote the right cause and to sustain a net balance on the right side of the equation? If the promoter of the cause uses private jets and limousines that seem to leave a careless environmental footprint, this is acceptable as long as he trades in enough carbon credits to offset the apparent hypocrisy. If the fitness fan indulges in pampered conveyance to and from the gym, she can offset that by doing another half hour on the elliptical machine.

Finally, suppose extra airport security measures triggered by a Homeland Security alert ignore suspicious behaviors of hale and hearty young adults whispering in hushed tones and paying inordinate attention to what is inspected. There is no need to worry. We can offset that insouciance by intensifying supplementary baggage checks on a wheelchair-bound veteran who happens to be first in line at the departure terminal or on the stately grandmother who is the last to board – since without her we might have missed our quota for additional scrutiny. How about border security? Mobilize National Guardsmen – in installments – to perform administrative tasks while criminal entrepreneurs and illegal unfortunates break laws to improve their lot at others’ expense. The offset of visibly assigning more life forms to the situation belies the absence of an impact and sidelining of the problem. Or perhaps dispensing unsolicited (and unaccepted) apologies for American swagger on the world stage somehow offsets a calculated failure to draw hard lines and let enemies know that crossing such lines constitutes an act of aggression.

Who needs judgment, purpose, or focused attention to stated intent, when today’s offsets offer moral license to take the most expedient path? Is moral license epitomizing the kind of smartness that will one day lead us to slit our own throat? If so, at least we have a name to attach to this phenomenon so that future archivists will be able to chart its ascendancy with our decline.

-- Nick Catrantzos

Wednesday, July 14, 2010

Kidnap Comp, in Colombia?

Is a presidential candidate who was kidnapped while on the campaign trail and then held in captivity for several years entitled to government compensation of $6.8 million? It depends. The July 12 issue of Economist sheds some light (http://www.economist.com/blogs/newsbook/2010/07/betancourts_demand_compensation)

On the one hand, as victim Ingrid Betancourt said when announcing her claim, the Colombian government refused her transportation via military helicopter and apparently denied her a protective detail. These circumstances could have materially contributed to her vulnerability, placing her at greater risk of harm.

On the other hand, the government maintains it warned her not to venture into the area where the kidnapping took place. Every other politician took such warnings to heart. There is another rejoinder, and one that gained so much popular traction in Colombia that Ms. Betancourt is now rethinking her claim and relabeling it a symbolic gesture. The same Colombian government that she says let her down also rescued her, at considerable risk and expense, including infiltrating Colombia’s FARC rebels. This is why vocal Colombians are fuming, demanding she reimburse the government for the cost of her rescue – instead of looking for a payout.

Which camp is right? There is no question that Betancourt suffered. Did she have some responsibility for her own protection, however? Was she indeed petulant or irresponsible in ignoring government advice that other political candidates heeded when she went into rebel territory as if danger for the common folk would somehow not mean danger for her? Other reports begin to paint an unflattering picture of Betancourt as demanding, condescending, and egoistical, as befitting the well born and pampered. Hostage Keith Stansell, in Out of Captivity, recalls that side of her. He and fellow Americans found her perpetually claiming and taking more than her share of food, clothing, and personal space, compared to other hostages. According to Stansell and his compatriots, Betancourt chafed at being held in the same space as the Americans. So she told guards that the Americans were working for the CIA and had tracking chips embedded in their bodies – all in an effort to have them removed, so that she could have more space to herself. The Americans felt they could have been executed over that maneuver. Meanwhile they noted she formed a romantic liaison with another captive, which may have contributed to the estranged relationship with her husband following her escape from captivity. Finally, in making her claim on Colombia’s treasury, Betancourt apparently made no mention of sharing her million-dollar book deal with Penguin to publish her memoirs.

She does seem to be reconsidering her demands, however. Did the government have and ignore a duty to protect her? Perhaps. One or two courts will decide. The first is the civil court which will allow or reject her claim. The second, court, however is less formal but more influential. It is the court of public opinion now branding her an ingrate and rapidly losing sympathy for an individual who basked in the light of a heroine while exhibiting the cutthroat and self-absorbed behaviors of a poltroon.

- Nick Catrantzos

Sunday, June 27, 2010

Defending Against the High of Havoc

Spectacle draws cameras and fuels notoriety. It also masks incremental security progress. So it is or has been with recent crowd control efforts in Los Angeles and Toronto, from the Laker basketball title victory to the G20 summit. Both events drew unruly crowds expressing either elation or disgust by torching otherwise innocent vehicles posing neither threat nor obstruction. In L.A., video coverage of thugs torching a taxicab made it to YouTube. This video (http://www.youtube.com/watch?v=4xfQR6YomJs&feature=related) shows a uniquely modern touch to an otherwise unchanging pattern of mob destruction. The pattern begins with tentative strikes that gather momentum and intensity as attackers meet no resistance and only magnify their glee at being able to hit things or people without being hit back – to the cheers of their own crowd.

The modern novelty comes in the ubiquity of cell phone camera flashes, as thugs pause after smashing a window or jumping on a car hood to immortalize their impact while grinning and cheering. Those with higher-end cellular phones take a turn at playing videographer, while their more electronically challenged fellows, lacking in the souvenir-taking technology, must content themselves with smacking the defenseless cab with renewed vigor. What are these destroyers ostensibly doing all the while? Celebrating their team’s victory. That’s right. These are happy people, expressing their joy by robbing a taxi driver of the means of his livelihood.

Move forward, now, to Toronto. Mobs vandalize banks and retail shops while torching police cars. Their worst destruction, attributed to Black Blocs (See http://www.csmonitor.com/World/terrorism-security/2010/0627/Black-Bloc-tactics-mar-Canada-s-G-20-summit), appears to be carried out under the banner of anti-capitalist, anti-police, anti-government – anti-you-name-it sentiment. So these are unhappy people, expressing their discontent by destruction that, at a given moment, looks remarkable indistinguishable from what happy rioters did in Los Angeles. These crowds use technology a little differently. Not that they don’t take their own souvenir photos. However, their mobile phones are communication devices first and documentation devices second. Text and Twitter messages offer Black Blocs their command and control, redirecting crowds on the fly to exposed targets and away from riot police strongholds.

Welcome to the new global pastime of modern unruly crowds. Among the principal differences between jubilant crowds and angry ones is that the latter come better prepared, hence the projectiles that Black Blocs used in Toronto to launch bags of urine and feces at police. Similarly, the Toronto mobs included stalwarts drenched in vinegar to offset the effects of the teargas they expected to draw. For once, the inherent sourness of violent protestors comes with a telltale, odor-bearing signature, as observers in Toronto reported tracking mob progress by following the vinegar smell with their noses.

Where is the good news for security practitioners? Well, it may not be good news exactly, but it is better than it could be. So far, both venues have been far less destructive than they could have been. True enough, one single torching of a car or business is one too many. However, it could be a lot worse. The Laker game mob’s swath of destruction in L.A. was a fraction of what previous ones have been. Similarly, the G20 rioting in Toronto has drawn 4,000 instead of the greater than 100,000 rioters in Italy for a past summit. Observers in Toronto report that riot police were refusing to be drawn into skirmishes when Black Blocs and other rioters torched police cars and broke store windows. Again, this is bad news for the custodian of the damaged asset.

However, there remains a certain wisdom in containing destructive forces, in channeling them to where they literally burn off their energy as they burn up some things in their path. Call it crowd control meets the Dog Whisperer. Once that energy dissipates, so too does a good measure of aggression. Better that this process take place with some impact to property and less jeopardy to human life. Security may not be perfect in either circumstance. But there are signs that it is better than it used to be for similar events.

– Nick Catrantzos

Sunday, June 20, 2010

Insider Threats Like … Cyber Armed Robbery? (Part 2 of 2)

Where Cyber Studies Stumble

This is where a look at the evolution of workplace violence studies foreshadows what is happening with cyber treatment of the insider threat.

To those who fear it, experience it, or defend against it, workplace violence is about rampage killings on the job. The agent of destruction, here, is an employee, a former employee, or a raging spouse whose domestic problems have spilled over into the workplace. Efforts to interdict workplace violence and improve defenses against these kinds of attacks, however, suffer when the data on cases extend to armed robberies of convenience store clerks and taxicab drivers. Indeed, when the latter categories enter into the discussion, they soon overtake the study. As a result, statistical compilations of workplace violence from official bodies such as the National Institute for Occupational Safety and Health tell us that key indicators of workplace violence are cash-handling operations at night – something cab drivers and convenience store clerks deal with and armed robbers covet. (This is why handling cash, dealing with the public, and transporting cash-carrying people or goods rate as high risk factors according to NIOSH, as noted in http://www.cdc.gov/niosh/violrisk.html.) However, while armed robberies do produce threats, injuries, and even fatalities, these are not the cases we mean when trying to deal with disgruntled employees driven to homicide. The broad definition, in this case, does a disservice. If you are running an organization that has little to do with cash accessible to an armed robber, developing a security program to counter armed robbers will do nothing to defend against enraged, hostile insiders.

Cyber-centric command of the insider threat performs a similar disservice to serious analysts of the kinds of trust betrayer whose goal it is to carry out an attack fatal to the institution. If most cyber threats indeed represent a former employee slamming the door with a denial-of-service attack, then it is a mistake to crowd the field with them. It is the equivalent of categorizing jaywalkers with mass murderers. Admittedly, both are breaking rules. But if we have to sort through thousands of jaywalkers before getting to see a single murderer, then our focus and resources are diluted by the time we arrive at the more dangerous threat. This is where the cyber world gets it wrong, Y2K-reminiscent predictions of cyber doom notwithstanding.

The insider threat that merits first priority is not the casual hacker or fired system administrator. Nor is it the disgruntled employee bent on harming his boss and co-workers. These people may create problems and even cause personal tragedies. Certainly they deserve some of the organization’s attention. Yet they are seldom able or willing to carry out an attack that will be fatal to the institution. The insider threat of first concern for us is the trust betrayer intent on catastrophic sabotage for reasons beyond narrow personal interest, such as for a terrorist adversary whose aim is our annihilation.

Defending people, assets, and capabilities is all about prioritizing. Let’s isolate the murderers from the jaywalkers, the malcontents from the terrorist assassins, and the opportunistic hackers willing to disrupt from the zealots willing to die in order to devastate. Otherwise, we will find ourselves consumed with investing all our resources on jaywalking, because that is what we are looking for and seeing most of, while murderers skulk in the dark corners of the periphery our blinders will not allow us to view.

--Nick Catrantzos

Sunday, June 13, 2010

Insider Threats Like … Cyber Armed Robbery? (Part 1 of 2)

Self-canceling phrases like this sometimes highlight a contradiction smothered under the page count of arcane studies. Two cases in point illustrate a shared phenomenon afflicting the insider threat: the peril of defining a threat either too broadly or of tailoring it to a particular agenda.

Cyber aficionados today dominate insider threat studies. Perform a Google search on insider threat with the current year, and the first several pages will demonstrate this dominance. Cyber-centric observers argue that information technology is not only important but, increasingly, the axis around which the rest of our world revolves. Accordingly, any disruption to the flow of data through a network or processor must necessarily foreshadow dire consequences. Therefore, when such disruption traces to access made possible by someone from within the firewall rather than an outside stranger, cyber defenders raise the alarm and fire their fusillades in the name of insider threat defense. Fine, up to a point.

But what is an insider threat? Who defines it, and how broadly? Here the defender’s perspective begins to vary widely, often in proportion to narrow expertise, agenda, or comfort zone. Ask Carnegie Mellon’s cyber-centric analysts, and they will inundate you with tales of breaches of networks and firewalls, of employees abusing system administrator privileges, of hackers socially engineering their way into unauthorized access to sensitive electronic files, and of petty thieves turned cyber crooks who carry out schemes for personal enrichment at an institution’s expense or infect their employer’s system with virus or Trojan horse after severing employment. That Google search string with “insider threat” and “2010” unearths an overwhelming salvo of cyber-centric articles on the topic, crowding out other treatments of trust betrayers.

What is missing? Even informed cyber observers themselves point out that the majority of cyber insider attacks are by former employees after they have departed, in effect an electronic slamming of the door in a less than graceful leave-taking (Band, et al, 2006, pp. 40, 52). This data point finds little welcome in the cyber acolyte’s taking command of today’s insider threat studies.

Another little-advertised data point is that some cyber security rules comprising accepted wisdom in the name of insider threat defense are gradually being exposed as ham-handed or over-the-top reactions that are out of proportion to the object sought. In a 2009 Oxford workshop of cyber minds, a Microsoft engineer presented a detailed analysis of the rational rejection of security advice – by and for cyber security – because rules are unduly burdensome and often unthinkingly imposed(Herley, 2009, pp. 1-12). If one is worried about passwords being compromised from the outside, Herley argued, it makes little sense to compel users to create new and difficult passwords every 60-90 days. A user can create a hard-to-crack password and remember and safeguard it for years. But if the same user must repeatedly do this time and time again, the attending burden encourages shortcuts, like writing the password down where it can be exposed or using a simpler, less secure password because it is easier to remember. This is only one example of how cyber security practitioners are no more immune to the afflictions of specialist myopia that their brethren from other security disciplines. The alarm and surveillance specialist sees no problem that cannot be mitigated by the installation of yet one more intrusion alarm or monitoring point. Similarly, the response force commander reflexively asks for more trained sentries or security patrols to solve whatever security problem comes along. None of these specialists need be evil to be wrong. All are proceeding as if doing more of the same will somehow produce results that have eluded them so far. Thus, absent a change in perspective and the taking of soundings of their ambient conditions and larger objectives, security specialists eventually become prisoners of their predilections.

In a certain way, the result of the cyber world’s present efforts to claim the insider threat as its exclusive province creates precisely the kind of distortion that the world of workplace violence has come to experience by allowing its definitions to stretch too broadly.

(To be continued.)

-- Nick Catrantzos

References

Band, S., Cappelli, D., Fischer, L., Moore, A., Shaw, E., & Trzeciak, R., Carnegie Mellon University Software Engineering Institute (2006). Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis. PA: Carnegie Mellon University. Retrieved March 20, 2010 from www.cert.org/archive/pdf/06tr026.pdf

Herley, C. (2009, September). So long, and no thanks for the externalities: The rational rejection of security advice by users. Proceedings of the New Security Paradigms Workshop, Oxford, United Kingdom. September 8-11, 2009.

Monday, May 31, 2010

Articulate Deception Signals Weakness

Why do political beings rush to spotlight reports of confirming information but smother those that fail to produce the smoking gun they made much of when parading their intention to get to the bottom of alleged improprieties? Perhaps an answer lurks not so much in the Memorial Day weekend release of the Guantanamo Review commissioned by a January 2009 presidential order. (See http://media.washingtonpost.com/wp-srv/nation/pdf/GTMOtaskforcereport_052810.pdf?sid=ST2010052803890) Instead, the telltale insights come from the handling of the report.

Item 1: The report, completed in January 2010, was just released in May 2010, on a holiday weekend, on a Friday. None of the fanfare surrounding the announcement of the intention to get to the bottom of the Guantanamo situation and its implied, dire consequences for human rights accompanied the commissioned findings.

Item 2: Despite making the case that 95% of Guantanamo detainees are terrorists adversaries of the United States and, at most, 5% may be difficult to categorize in such a fashion, the administration's takeaway from this report drew little attention to the danger that the Guantanamo detainees pose for America and Americans. Instead, they emphasized that most detainees were low-level fighters. (See http://www.washingtonpost.com/wp-dyn/content/article/2010/05/31/AR2010053101702.html?nav=hcmoduletmv, where a Washington Post columnist observes how his own newspaper characterized the report in a Saturday news article following the report's release.)

Lessons?

1. One need not lie to deceive. Delay works.

2. Control the spotlight, and facts need not intrude into one's agenda. The desired impact apparently came from announcing the Guantanamo review, hence no sense of urgency in tracking its progress, reporting its conclusion a year later, or questioning why something important enough for a presidentially decreed task force took almost half a year to see the light of day.

3. Whatever such proceedings communicate to those who would kill us, it is hardly a message of strength or deterrence. Instead, it calls to mind these words of Hilaire Belloc:

We sit by and watch the barbarian, we tolerate him; in the long stretches of peace we are not afraid. We are tickled by his irreverence; his comic inversion of our old certitudes and our fixed creeds refreshes us; we laugh. But as we laugh, we are watched by large and awful faces from beyond; and on these faces, there is no smile.

-- Nick Catrantzos

Sunday, May 16, 2010

Security for Artisans

Security is receptive to scientific advance, but is no field for scientists to dominate.  The exigencies of protection are too fluid and the stakes too high for submitting one's livelihood, assets, or life to rigid metrics and laboratory-grade theories that fall apart on first contact with mortal hazard.  On the other hand, security is no long-term home for artists, either.  Not that the protective world need be inhospitable to creativity or innovation -- particularly if they produce desired protection on time and within ambient resource constraints.  However, the artist's highest aspiration to be and do something unique will find a better home elsewhere.  In the protection business, it is not only useful but necessary to be able to replicate and commoditize one's highest achievement, to spread it widely and often without taking credit for it.  In this context, die-hard artists will surely look to greener pastures more befitting their egos and temperaments. Where does that leave us, then, if security is neither art nor science and if security welcomes visitors from both camps but offers neither a home?

Security at its best is a home for artisans.  It is one of those hybrid disciplines whose highest expression derives from synthesis, from blending theory and innovation together and then applying the mixture with gusto and finesse to situations where success may occasionally surface but where failure is unmistakable and fatal to people, institutions, or careers.  Security is no place for the faint of heart, for the indecisive, for the chronically risk averse.  It can be a natural fit, however, for defenders, pragmatic idealists, and masters of the calculated risk.  

A first-rate security practitioner takes the pains of a fine craftsman (without giving the pains of a technical expert or temperamental artist) and applies skills that require not only knowledge but some level of apprenticeship.  This practitioner takes enough pride in mastery of the discipline to keep honing skills that improve the way he or she practices the craft.   Security professionals at the top of their game do for colleagues and neophytes what others did for them:  teach, share, question, explain, and improve.  They resist the temptation to hoard knowledge or mask ignorance.  Some are blunt.  Others are tactful.  Some are didactic and prolix. Others are laconic, only answering questions rather than volunteering information. All the pros have successes under their belt, as well as misfires it pains them to remember.  The good ones will tell you about both.  The great ones will have one or more whoppers in the failure column.  When they talk about those, they remember what they learned from their mistakes, how they did better next time.  

Security professionals are as frustrated or stymied as anyone else.  They learn to make peace with an imperfect world and navigate the uncertain waters that raise them high one day, only to submerge them to the depths the next day.  Over time, security professionals learn to take vicissitudes in graceful stride.  They learn to anticipate adverse consequences, and this knowledge carries over into organizational life.  They see it coming.  Ideally, they dodge the blow.  When dodging is no option, at least they brace for the punch.  

Security professionals put some distance between themselves and others.  It keeps them objective and creates more room for maneuver, more reaction time. Most of the time, Security is no one's best friend.  Often, though, Security is their only friend.  Security people know they get paid to try where others run or hide. Part of their job is not just what they do under routine conditions, but what they are prepared to do when things go bad. 

Security people may have ambitions, but they learn to keep them in check. Crime pays better.  So do the kinds of jobs that require more ethical flexibility. Organizational dynamics can put security practitioners at odds with some employee populations more than others.  Fortunately, the world keeps serving up just enough danger to remind most organizations why they have and keep Security on the payroll.  

Security at its best keeps spectacular losses from happening.  This makes it unspectacular and its consummate practitioners relatively unheralded.  Only the professionals know among their ranks or just within themselves.  And when they craft a worthy defense or foil an otherwise devastating attack, they know. They look up. They smile.  And maybe that's enough.

-- Nick Catrantzos     

Saturday, May 8, 2010

Terrorists and Kindergartners No Joke

In the wake of last weekend's failed attempt to launch Times Square night life into orbit, security and non-security practitioners alike are taking comfort in dismissing the threat of such amateur attacks. A Washington Post-affiliated blogger noted how boneheaded such attackers appear. True enough, until an attack succeeds. An alternative analysis, however, is accessible to anyone who examines such attacks through a management prism.

One such prism comes from trying to understand why our best and brightest consistently under perform in a management exercise sometimes called the marshmallow challenge. (If you want to see the details and exposition of these findings in a few minutes, see http://www.ted.com/talks/tom_wujec_build_a_tower.html ). The point of the exercise is for a team to make the tallest possible tower out of a marshmallow, some strands of uncooked spaghetti, duct tape, and string -- where the marshmallow must rest atop the structure that the team builds. There is a time limit imposed, too. MBAs consistently approach the challenge with highfalutin planning and theorizing. As a result, they talk themselves out of time and erect no tower, or put together an imposing structure that falls apart when they finally place the marshmallow on top. What group outpaces these people dramatically? You guessed it: kindergartners Why? Instead of planning and talking the problem to death, they start by putting the marshmallow on top of a spaghetti strand and then just keep trying until they land on what works.

So, here we are. Like the MBAs in this story, we sneer and cackle at the kindergarten-like lack of sophistication at attack attempts that just don't stop. And somewhere there are very focused and committed kindergartners affixing yet another explosive marshmallow onto a sturdier tower, learning by doing, oblivious to our derision. Still feeling comfortably superior?

-- Nick Catrantzos

Friday, May 7, 2010

Times Square Bomber Craving Celebrity?

From today's Washington Post: "U.S. officials said Faisal Shahzad's radicalization was cumulative and largely self-contained -- meaning that it did not involve typical catalysts such as direct contact with a radical cleric, a visible conversion to militant Islam or a significant setback in life."
http://mobile.washingtonpost.com/c.jsp?item=http%3a%2f%2fwww.washingtonpost.com%2fwp-syndication%2farticle%2f2010%2f05%2f07%2fAR2010050700194_mobile.xml&cid=578815&spf=1

Self-contained or self-absorbed?

Media accounts of Shahzad's life before attaining notoriety for his failed attempt to blow up Saturday night revelers in Times Square point to an existence unburdened by achievement.  If anything, this young man went through the mainstream of life without even making a ripple. Consider:  Forgettable C student at college, over-leveraged first-time home owner, terminated junior employee without the talent, drive, or imagination to find productive work.  He even failed to properly make and detonate the explosive whose intended impact would have launched him into a terrorist hall of fame.   Now his only remaining supply of ego massage will hinge on how much air play American media bestow.  He may not be bright, but this does not exclude the chance he has a certain low, animal cunning.  

Look for him to say anything that gets a rise out of interviewers.   Operant conditioning will be at play, with a court room or news magazine show appearance his ultimate goal.  The more attention he receives, the less he will be encumbered by his towering insignificance.  

Even a smarter malefactor craves attention.  Witness Christopher Boyce, a young man from a different time who also turned on his country.  As the brains behind the Falcon and the Snowman collaboration, Boyce amused himself by drawing attention even after convicted and jailed.  How?  He would periodically testify before Congress on the failings of the background investigation system that let him slide into highly classified work at a tender age based on character references that were mostly his father's peers with only superficial awareness of Boyce's proclivities.  Only the clearance system benefitted from Boyce's revelations. What value the Times Square abortive bomber delivers will likely be more perishable and unaccompanied by insight. A young, malleable dolt digging himself from one hole into another will be hard pressed to appear smarter over time -- unless it is a slow news season and media handlers sculpt this lump into clay more imposing.

- Nick Catrantzos    

Saturday, April 24, 2010

Security Regulation Allure

A colleague with an approved and funded internal mandate to spend employer money on security improvements faces an internal raid. Other, financially strapped parts of the enterprise must scramble for money to forestall layoffs.  No matter how notorious those others may be for extravagant spending patterns and chronic inattention to budgets and deadlines, the larger organization must save them. Otherwise the specter of layoffs will cloud this workplace forevermore.  Or so the prevailing wisdom goes.  Welcome to a smaller, personal version of "too big to fail."

How does this connect to security regulation? Well, the only functions spared from this plundering are those cringing behind the force field, Regulatory Compliance.  No problem, you say?  Surely this protection extends over my colleague?  Not at all.  You see, my colleague is guilty of bureaucratic transgressions:  basing security investment on an analytically supported business case and playing by the rules to make this case, obtain approvals, and run an above-board program with total transparency and multiple audits.  In a bureaucracy, however, none of these steps matches the force field's value in shielding security investment from raiding.  If, instead of doing things the hard, responsible way, my colleague had a handful of regulations to brandish, the raid would be defeated.  

Security is no toggle switch to turn on and off instantly just before an attack.  It is a rheostat that takes time to put in place and to calibrate for adjusting to the needs of moment.  But my colleague working to put this rheostat in place is now stymied by internal antibodies that do not understand or want to understand this subtlety.  For them, if the money is not going into core business or into regulatory compliance, it is up for grabs.  And thus the predatory and myopic impulses of bureaucratic self-preservation override the best efforts of a security professional to protect an organization from everything but ... itself. 

-- Nick Catrantzos 

Saturday, April 10, 2010

Are Shortcuts Dangerous?

From today's front page: "Polish President Lech Kaczynski was killed early Saturday along with his wife, several top military officials, and the head of the national bank when their plane crashed ... [http://www.cnn.com/2010/WORLD/europe/04/10/poland.president.plane.crash/index.html?hpt=T1]"

After taking into account the elements of human tragedy and inevitable failure analysis sure to follow, what does a security professional see in this story? A costly reminder of why even B-grade corporations and institutions adopt policies that prohibit all executives from traveling by the same conveyance at the same time. In some cases, insurance policies and governing bodies bolster the reminder. Seeing top management as an asset that ties into the valuation of the enterprise, they insist that all these precious eggs not travel in the same basket.

Policy and reality frequently diverge, however. Even A-grade corporations and institutions with mature executive travel policies often end up placing their leadership at risk by ignoring this policy. Or, if not actually ignoring it, they rationalize it away as a priority to be seconded to the more pressing trump cards of cost, schedule, or efficiency. Respectively, the arguments go like this. One, the institution saves money by sending all the executives on the same flight. Two, given busy calendars, there is no time to fuss with scheduling separate flights for all the VIPs. Three, the executives must certainly be more productive if allowed to leverage travel time by talking shop and furthering their employer's business instead of napping or talking to themselves, as they might if deprived of familiar company while traveling.

Even security may be conscripted to the cause of defending this bad decision and policy violation. After all, one may argue that it diverts fewer resources to protect one limousine convey and secure one aircraft reserved for conveying VIPs from one secured location to another. Cheaper, too.

Both arguments fall apart if one takes the long view. The real cost comes not from distributing one's risk instead of risking all assets together, but from considering what it takes to recover from self-facilitated decapitation. And if, by any chance, a loss-producing event like this plane crash involves not mere chance but calculation, dispersing the targets would have limited the attacker's chances of attaining the sought-after combination of means, target, and certainty of success.

Once again, there is no smart way to be stupid, as this Polish tragedy will no doubt reveal in days ahead.

-- Nick Catrantzos

Saturday, April 3, 2010

More of Same Yields More of ... Same

When the ethically flexible Frenchman who commands the police under Nazi masters in Casablanca appeases the ranking Nazi du jour by announcing he is rounding up TWICE the usual suspects, is he anticipating future grant dispensers and homeland security experts who demand equal satisfaction on the heels of every spectacular attack? It certainly looks that way. Else why do last Monday's Moscow subway bombings trigger the usual knee-jerk reaction at home? This reflex compels earnest homeland security critics to remark that America lags in anti-terrorist defenses of our own subways and surface transportation. This is how one accounts for the significance attached to pointing out that we have spent only $21 million of $755 million allocated for transportation security grants, per a June 2009 GAO report (at http://www.gao.gov/new.items/d09491.pdf).

The conventional wisdom is that this lag in spending reflects insouciance on the part of defenders. The corollary is that these slackers should be spending with gusto on risk assessments and detection technologies to demonstrate their competence. But is this round-up of twice the usual suspects really wise? Or is it ill advised?

Consider: TSA has deployed viper teams and carried out exercises at transit hubs already. I witnessed one myself at Union Station a few years ago. Hundreds of responders participated, sharing lessons across jurisdictional lines. But they had to run their exercise early on a Saturday morning to avoid complicating already unbearable commutes in a large metropolis. There lurks a lesson here for anyone who uses trains and subways infrequently: You cannot harden such a target sufficiently without paralyzing its capacity to perform. Anyone who had to rely on the train to go from Washington D. C. to Manhattan while air traffic was grounded immediately after 9/11/01 will likely remember how adding one more complication to normal business travel would have easily halted that travel altogether.

There are times when institutions do their best by not disbursing public funds with feverish abandon. This is one if those times.

Transit security on the scale necessary to thwart a terrorist attack like Moscow's lends itself poorly to American freedom of maneuver without undue personal invasions. Otherwise, costs become prohibitive, lines crawl, and defense remains uncertain. A better approach would be to invest in citizen involvement, empowering and one day enabling fellow commuters not only to spot attackers but to also intervene to stop them, with the same assurance of Good Samaritan protections they would receive if performing CPR or a Heimlich maneuver.

Otherwise, we fool only ourselves and engage in security theater by calling for more spending, more cops on trains, more bomb-sniffing dogs, more security patrols, more interagency coordination -- more everything -- except feasibility and proof of results. We round up twice the usual suspects with little danger of catching the most deadly one before he or she strikes. We also force TSA into the role of the French police in Casablanca, a force reduced to appeasing petulant masters more than doing a tough and necessary job within available resources.

-- Nick Catrantzos

Sunday, March 28, 2010

Flaw of Prosecutorial Questioning

There is a world of difference between asking questions to establish guilt and asking questions to gain information. One approach focuses on obtaining a confession, usually for its evidentiary value. That value resides in supporting prosecution or some other action that begins with establishing guilt. The second approach, however, is less instrumental than exploratory. Its aim is to learn, not to alter the status of those questioned.

This fundamental distinction in approaches offers one look at why it matters whether an interrogation follows a "You did it" vs. "What is happening?" bias. This distinction represents the essential difference between law enforcement and intelligence questioning. The distinction also highlights why the law enforcement or prosecutorial bias remains fundamentally at odds with intelligence collection and why, on a cultural level, cops and prosecutors enter into intelligence collection with an infirmity proportional to the degree that this prosecutorial bias has infected their repertoire of interviewing skills.

The average length of time a police officer can allow a subject to speak without interruption in an interview is eight seconds. (Two separate sources corroborate this assertion: British psychologists Rebecca Milne and Ray Bull in their 1988 Investigative Interviewing, Chichester: John Wiley & Sons, 1999; retired RCMP polygraph examiner and corporate investigator for a major Canadian petroleum company, Barney Bedard, in his 2006 presentation on detecting deception before the American Society for Industrial Security in San Diego, at its annual seminar.) This penchant for interruption appears impossible to satisfy unless the questioner is aiming more for a predetermined answer than for terra incognita.

The principle flaw of prosecutorial questioning, then, is its inherent conflict with the unknown, with new information whose nuances and trajectory are anything but preordained.

The other kind of questioning comes with its own Achilles’ heel. But that is a dish to serve for another meal.

Prosecutorial questioning is purposeful, narrow, goal-oriented. It has its place as a supplement to physical evidence and can even be a godsend in the absence of any other proof of guilt. However, if one’s only approach to questioning is to establish guilt, then one becomes precisely the wrong questioner to attempt to derive perishable or strategic threat intelligence. The institutionalized myopia of questioning for prosecution is too big a hurdle to allow the majority of cops and lawyers to carry out the kind of open-ended probing necessary to find out what an interviewee knows of intelligence value. After all, the best of such material may have nothing to contribute to a conviction. Indeed, the answers to such questions may even undermine the prosecutorial objective by giving the interviewee leverage with which to seek a plea bargain or other deal in proportion to what he or she knows that we want to know. Consequently, the questioner whose main objective is a successful conviction lacks a professional incentive to ask questions that undercut this aim. And since interviewees often claim that the reason they did not supply certain answers was that they were never asked related questions, is it any surprise that a law enforcement bias continues to be precisely the wrong way to exploit captured attackers, like last year’s Christmas underwear bomber?

As a nation, we missed connecting these dots in September 2001. Significantly, in November 2001, the attorney general and FBI director acknowledged the need to move away from this prosecutorial bias. The deputy attorney general even said, "Our overriding priority is to ensure that all necessary and appropriate steps are taken to protect the American people, to prevent further attacks, and to disrupt terrorist cells before they can do more harm -- even if it means potentially compromising a criminal prosecution (per CNN, November 8, 2001, at http://www.cnn.com/2001/LAW/11/08/inv.justice.revamp )." As the events of Christmas 2009 show, however, this must be an elusive lesson to grasp – except, perhaps, for adversaries bent on our obliteration.

-- Nick Catrantzos

Sunday, March 21, 2010

Internet Creating Radicals?

This question reflects our popular taste for hyperbole in all things cyber. The Internet is as helpful to terrorists as it is to other mortals. This does not mean it is itself creating radicals or terrorists.

Not every change is as instantly transformational as its advocates proclaim. The automobile may have replaced the horse-drawn carriage, but places to go remained about the same as the transition unfolded. Similarly, the Internet appears more tool of convenience than secret weapon. Dr. Abe Wagner*, a former government official tasked with exploring some arcane aspects of the terrorist threat, observed that Al Qaeda et al showed little interest in exploiting the Internet beyond the role of power user. They were not recruiting great IT talent, nor putting a premium on developing it from within. Why then assume they have cultivated extraordinary, Internet-based psychological warfare and brainwashing capabilities for a recruiting drive? Surely Madison Avenue ad agencies, PBS pledge drives, and military recruiters would be light years ahead of them by now, if such online dividends were within easy grasp.

A more likely reality is roughly akin to the migration from posting letters to using e-mail. The Internet is a tool. So is the telephone. So is the daily news. Anyone may use them to pursue an agenda, including terrorists in search of acolytes. But not every tool is necessarily a weapon. As Bill Gates mused in his book, The Road Ahead, an infusion of technology tends to accelerate the discovery of successes and flaws, without necessarily magnifying one or diminishing the other.

I suspect what we are witnessing in Sageman (who, in Leaderless Jihad, claims that the Internet is producing a fundamental change) is an impetuous exuberance that is defining as transformational a cyber phenomenon that, in reality, has been largely catalytic — so far. What will mark an actual transformation is a shift in frequencies from mere chatter to actual cases. Until we see cyber recruiting and related attacks taking place with a robust frequency to match their hype, the specter of the Internet as the driving force for radicalization will remain more chimera than danger.

-- Nick Catrantzos

* Abraham Wagner, JD, Ph D., is engaged in the private practice of law and is Adjunct Professor in the School of International and Public Affairs at Columbia University, and was Visiting Professor of International Relations at the University of Southern California. He is also engaged as a consultant on national security and intelligence matters to the Departments of Defense and Homeland Security, serving on the Defense Science Board and other advisory panels. Following 9/11 he was the Chairman of a special task force in the Department of Defense looking at technology responses to evolving terrorist threats.

Sunday, February 28, 2010

Terror Label Solves No Problem

In the wake of recent spectacular murders in Texas— one at the hands of an Army doctor shooting innocents at Fort Hood and another at the hands of a failed entrepreneur auguring his small fixed wing aircraft into an Austin federal building— homeland security practitioners have risen to the attackers’ bait by rushing to call both terrorists. Both attackers sought to make more of their attacks than grudge-bearing strikes of unrespected failures against a target that barely acknowledged their existence. One slid into the ravings of jihad long after his unspectacular prospects became evident. Major Hasan, M.D., saw that his military career was going nowhere, his competence was insufficient to open the door to private sector opportunities, and the likely trajectory of his employment would be into harm’s way no matter what he could concoct in the way of excuses, tropes, and gambits. The other, Joe Stack, a self-styled high tech consultant with a history of failed attempts to cash in on the blandishments of sole proprietorship and Silicon Valley entrepreneurial opportunities, lost two families and multiple jobs. Yet he found a history of dodging taxes was catching up with him while the marketability of his skills was not matching his self-definition of captain of industry. Consequently, in addition to blaming all around him for his serial failures, and despite knowing better after previously running up federal back taxes in excess of $100,000, Stack decided to blame the Internal Revenue Service for his recent failure to file a tax return. He claimed the attending financial distress led him to aim his kamikaze flight into Austin’s IRS building as some sort of freedom fighter’s valiant act of defiance. In reality, he more likely wanted to end a life bereft of accomplishment or prospect.

When do homeland security practitioners become unintentional accessories after the fact? They do so whenever they magnify tragic loss by buying into attacker claims that the blood of innocents was spilled in the service of some higher cause.

“Terrorism!” shout the earnest practitioners. Why, Hasan must clearly be a radicalized Islamist who would otherwise be harmlessly practicing medicine guided by Marcus Welby and ER reruns. Alas, once his mind slid into a jihadi marinade, the physician who struggled to even rank among the mediocre all of a sudden became a mastermind, even if he ended up being the only member of his own terror cell. Similarly, Stack must have become a radicalized tax protestor. Perhaps he idolized Timothy McVeigh or succumbed to anti-government propaganda, ultimately turning from average loser into steely-eyed suicide pilot.

Suppose an alternative analysis, however. What if both these people were simply unhinged incompetents who saw no way out of the holes they dug for themselves? Would they not then do what most of us do best when facing such challenges without a viable support system? Dig themselves in deeper. Then, when in too deep, what is the last act of self-elevation available as they lash out? That’s right: go out claiming a connection with something greater than their wretched selves. Why? Because such a connection makes them something more. Otherwise, they face an end that replicates their beginning and middle: wading through the mainstream of life without even making a ripple. Affix to them the terrorist label, though, and you help transform them. Now instead of being a nothing-but, they become a something-more. Where are their networks, their cells, or even their disciples? We cannot find what does not exist.

Terrorism and terrorist labels can be irresistible for homeland security practitioners to brandish. Label one attacker a radicalized Islamist and you mobilize federal resources and subsidies to take on the problem and diffuse accountability for failing to prevent his carnage. Label the other attacker a domestic terrorist and you again lay claim to federal resources and deflect attention from those elements of our society which no one cares to invest in or mobilize to take a hand in our own defense: average fellow citizens. Instead, the terrorism label confines the problem to the purview of experts and continues to keep the rest of us at arm’s length. To name is to control.

There is a better way: a No Dark Corners approach. No Dark Corners would launch failure analysis in both cases without rushing to affix labels. Establish timelines of individual actions and identify signals of lethality that may have been missed. Probe further to see whether those signals were really missed or actually detected but not acted upon because of institutional or societal self-hobbling that we must face in order to undo.

Unless we start looking at such attacks more analytically through a defender’s prism, we doom ourselves to watch in repeated horror as such events replay themselves at another time and place while we pretend that affixing a label or pointing the accusing finger of blame somehow advances our security.

-- Nick Catrantzos