Why Yenta's Background Checks Better than Governments'

The discussion that follows just came in from the annual No Dark Corners Roundtable Forum and Christmas Luncheon held at a Claim Jumper restaurant this year.

It isn't just a question of gathering up more data. Bureaucratic functionaries would have us believe that if they only knew just a little more about betrayers like NSA leaker Edward Snowden or phonies like Mandela memorial sign language imposter Thamsanqa Jantjie, they could have prevented such ne'er-do-wells from turning into national humiliations. This is balderdash. A thriving matchmaker, or yenta, can do better with even more limited data and budget. How so? The matchmaker blends available vetting data with direct observation and progressive testing before taking risks with important clients. This is hardly a matter left to chance. Nothing ends a matchmaking business faster than serial failures and mismatches.

What do matchmakers know and do that governments fail to apply in their background checks?

1. They check out prospects and clients with available data, but don't stop there. The way to do this is for the matchmaker not only to gather basic information via a standard questionnaire, but also to use that questionnaire as a starting point rather than an end point. The questionnaire informs a personal interview where the matchmaker gauges motives, manipulations, and determines what inevitable deceptions are acceptable white lies vs. dangerous fabrications. A savvy matchmaker also checks independently into reputations to determine whether it is worth doing business with a given candidate or client. After all, the matchmaker's own reputation is at stake if the match turns catastrophic.

2. They chaperone. The best matchmaker does not risk important clients by setting up liaisons with question marks. Instead, a low-risk experiment comes first. Thus, one sends a new, unknown prospect on a low-key lunch date to see how well it goes before presuming to pitch a weekend getaway in Monte Carlo with a shy billionaire client. A cautious matchmaker also knows how to be a chaperone without being a killjoy. The finesse is that of serving as a seasoned co-pilot who stays far enough in the background to let the aspiring pilot handle the take-off but remains close enough to take the controls if there a malfunction or problem with a safe landing. (For details on how this co-pilot model applies to insider threat defense, see Managing the Insider Threat: No Dark Corners, Boca Raton: CRC Press, 2012.)

3. They have enough of a stake in the deal to cut it off at the first sign of trouble, before a problem becomes a catastrophe. Unlike government background checkers with a hit-and-run mentality, matchmakers have a vested interest in follow-up and follow-through. Matchmakers have to own their results, taking credit for the sunshine as well as the rain. Government background checkers don't function with the same accountability. When was the last time a government employee lost a payday or a job from clearing a Snowden for classified access or a Jantjie for standing a dagger-thrust away from heads of state? We don't hear about it because this seldom happens. By contrast, a matchmaker whose deficient vetting produced such fiascoes would face no alternative but to embark on a change of careers.

Without necessarily realizing it, competent matchmakers exemplify some of the signature No Dark Corners (op cit) approaches to defending against insider threats. Their vetting process is akin to an enlightened new hire probation system, where penetrating scrutiny prevails over perfunctory checking. Their chaperoning and phased exposure to risk parallels the co-pilot model of limiting chances of undetected mischief. Finally, their ownership of their results keeps matchmakers vitally engaged in becoming and remaining a part of a team which is accountable for failure as much as for success. Until something like this happens in government-related background checks, look for more debacles to come.

-- Nick Catrantzos

Security Lessons from Somali Piracy

The motion picture Captain Phillips may indirectly give us pause to note a decline in Somali piracy. What can this decline tell us more broadly?

It seemed only a few years ago when the rise of piracy on the high seas sent the cargo freighter world and its insurers into frenzy and despair. Somali pirates were regularly boarding oil tankers and undefended commercial vessels at gunpoint, holding hostage their cargos and crews, and extorting million-dollar ransoms as a matter of routine. From about 2008 to 2011, piracy grew to over 40 successful attacks a year. Then the numbers began to tell a different story. There were 47 such hijackings in 2009, 46 in 2010, but only 14 by 2012. (For details, see http://www.independent.co.uk/news/world/africa/huge-decline-in-hijackings-by-somali-pirates-8602901.html )

One study offers a multitude of explanations for what led to the growth and more recent decline of Somali piracy. (Details are at
http://piracy-studies.org/2013/the-decline-of-somali-piracy-towards-long-term-solutions/ )

Stripping the study of its plumes and spangles, the essential reason behind the boom in piracy was this: It paid well. This payoff came in the form of relatively low risk for relatively high reward.

With automation being what it is today, cargo vessels on the high seas began to operate with relatively small crews, and those crews were, by international maritime policy, intentionally unarmed. This was well known. Moreover, no armed naval forces were paying attention or allocating resources to escorting, defending, or rescuing the potential targets until their frequency of victimization became alarming. Additionally, the legal shambles that passed for the government of countries most likely to serve as home base for pirates were such that the pirates had little to fear in terms of capture or prosecution at home. These foregoing developments meant that the risk facing would-be pirates was minimal.

At the same time, realizing a return in millions paid to ransom ship and crew was the kind of payoff unmatched by a lifetime of honest work in the same countries where few jobs were to be had. The prevailing euphemism, economic dislocation, is one way of sugar-coating the relative attraction of piracy to communities when their members have no productive work prospects and have ceased to collect handouts once the flow of United Nations' subsidies has declined to a trickle. Add these factors all together, and piracy became an attractive career choice. So, what changed?

For one thing, despite much international angst over the liability and unseemliness of so unsophisticated a throwback option, the targets started to arm themselves. For another, aggressive naval patrols by nations with a stake in hijacked crews and cargo, started changing the risk calculations for pirates. Getting caught or shot will do that to a predator. Another raising of the stakes for hijackers came with aggressive prosecutions and sentencing for their crimes. (According to the first article cited above, over 1,100 Somali pirates have been jailed in 21 countries since prosecutions started in earnest. Considering that the estimated number of active pirates was 3,000, these incarcerations made a discernible impact.) Thus there came to be consequences for villainy, a price to pay. The net result of all these measures was to change the situation enough to the point where piracy was no longer such a good deal for the aspiring pirate.

There are useful security lessons to harvest here and to apply more broadly. Among them are:

1. No matter how unsophisticated and agonizingly debated it may be to do so, you make yourself less of a target if you take visible steps to defend yourself. Most attackers perform risk assessment at some level, even if not through any complicated, analytical process. Even if they operate with nothing more than low animal cunning, they realize that their odds improve when attacking undefended targets and those odds get worse if going up against targets equipped and willing to defend themselves.

2. Few adversaries are invincible, and most will back down if they face a broad array of defenses (such as armed vessels and crews, naval patrols, and a legal system that imposes consequences). At first encounter, an enemy may seem formidable when attacks are unexpected and defenses are inadequate. With the steady addition of well conceived defenses, however, it is not only possible but likely for defenders to prevail.

3. Once a major security problem appears to be solved, watch for the possibility of a new but related one to occur. In security theory, this is the phenomenon of displacement. For example, when car alarms became effective and widespread, some car thieves had to change their tactics; they became car hijackers instead. A car difficult to steal when secured but unattended became easier to acquire by forcing its keys out of the hands of the driver while the engine was already running. In the case of the present decline of Somali piracy, the speculation now is that thwarted pirates may similarly resort to different targets and tactics. One possibility is kidnapping high-value executives and holding them in exchange for ransom without having to encounter the new security measures at sea. Another possibility is that if defenders start diluting or abandoning their countermeasures because they prematurely declare the problem as being solved, it will resurface once conditions tilt back the risk-reward calculation in the pirates' favor.

In addition to this situation offering lessons to learn, it also offers lessons not to forget.

-- Nick Catrantzos

Fairy Tales and Ex-FBI Spy in Iran

Whatever Robert Levinson was doing that resulted in his disappearance in Iran over six years ago, the latest explanation of a rogue intelligence operation defies logic, coming across as yet another fairy tale du jour that does no good for an American in captivity who is suffering or gone. The latest explanation is that this retired FBI agent with a knack for cultivating snitches throughout a 28-year career in law enforcement somehow materialized in Iran to recruit a suspected murderer at the behest of a CIA analyst. (For details, see http://www.washingtonpost.com/world/national-security/ex-fbi-agent-who-went-missing-in-iran-was-on-rogue-mission-for-cia/2013/12/12/f5de6084-637b-11e3-a373-0f9f2d1c2b61_story.html )

The picture painted in the foregoing narrative is that a CIA analyst who had forged a professional relationship with Levinson over the years hired him as a contractor and tasked him to gather intelligence on Iran in a rogue operation. This rogue operation, as the story goes, bypassed all the CIA's mature clandestine collectors and support mechanisms (including basic tradecraft, it would seem) and, significantly, channeled Levinson's reports to the CIA analyst at her home instead of her office.

This narrative has enough holes to rival a minefield, but consider only one neglected so far: How could an intelligence analyst actually benefit from the unvetted yield of an unsanctioned collection effort? It may take a passing conversance with human intelligence collection, reporting, and analyst involvement to spot this discrepancy.

There is a basic pas de deux between collectors and analysts that roughly follows this sequence. Collectors focus their efforts to address intelligence requirements, which are questions that analysts have about foreign intentions and capabilities. When the collectors obtain something responsive to a given requirement, they cite it on the report they write. Meanwhile, the collector's boss and unit check out the report for accuracy and completeness before sending it into the system. This process, in turn, distributes the report to the interested analyst for review and comment prior to dissemination throughout the intelligence community. If the report is particularly good and highly responsive to analyst needs, the analyst ends up using it for a more important analytical product, such as a National Intelligence Estimate. When this happens, the analyst supplies good feedback and positive ratings back to the collector through the system. The collector's report benefits from a high rating or grade, the collector and analyst are both pleased, and the collector is thereby incentivized to produce more reporting along similar lines because (a) there is an audience for it, and (b) that audience is officially rewarding the collector and collection effort.

Now, what is wrong with the picture painted in the latest story? The answer is that there is no way for the analyst in question to actually use the reports Levinson allegedly sent to her home. How can she cite them in any official intelligence study or estimate? Rogue reports are not in the system, have undergone none of the basic vetting that a boss and unit perform for quality control, and do not exist in a way that anyone else in the intelligence community can legitimately use or cite. For this reason alone, the "rogue" collection effort run by an analyst in the way characterized above just does not wash.

The protocols of clandestine collection exist for a reason. That reason is effectiveness, as measured not only by the quality of the yield that they produce but also by due concern for the personal safety of all persons involved in the hazardous task of obtaining useful information from human sources in risky corners of the globe. Iran is a hostile or denied area, and it would be more than malpractice to send any American there on an intelligence mission without extreme caution and preparation. This is why there are overseas stations, station chiefs, tradecraft, and legitimate processes in place to govern the interactions of collectors and analysts alike. Rogue operations are certainly possible in theory, but something is missing in this latest fairy tale. Even if an analyst can bypass the system by using contractors to collect data, that still leaves the analyst professionally unsatisfied unless the resulting yield can enter the intelligence community legitimately. Otherwise, why risk a career and the life of a contractor to gather something you cannot use?

There has to be more to this story. The fairy tale of a rogue operation orchestrated by an analyst just does not hold up to scrutiny.

-- Nick Catrantzos

Making Prevention Contagious for the Holidays

Security in its broadest application is all about preventing adverse consequences, but the details of prevention can seldom compete against loss-inducing fads ranging from knockout game attacks, flash mob robberies, spree killing, and even to teen suicide. In the case of the latter, the magnitude of the challenge becomes apparent in a statistic: Since 1950, the suicide rate today is three times what it was then. However, the source of this statistic also offers new hope in trumpeting otherwise unheralded successes in curbing suicidal tendencies of today's teens. (For details on both data points, see http://www.csmonitor.com/USA/Society/2013/1208/Teen-suicide-Prevention-is-contagious-too)

What can we learn from such suicide prevention programs to inform other protection via prevention? First, there is a question of attitude. In the suicide prevention world, this comes down to noting and continually reminding oneself of reasons for living, as the linked article highlights. Perhaps no one said it better than concentration camp survivor and psychiatrist Viktor Frankl in his book, Man's Search for Meaning, where he pointed out that what kept some concentration camp prisoners going while other, more or less identical prisoners lost hope and perished was that the survivors chose their attitude and set themselves tasks to perform every day. These are what the foregoing article today calls things to live for. Speaking in the voice of Sherlock Holmes, Conan Doyle put it another way a century ago when he said that work remains the best antidote to sorrow. What, then, is the attitude to adopt to any protective challenge? It is that the challenge is attainable, a job to do, and one that is worth doing.

Second, what else can we learn? As in suicide prevention, protective action in general delivers its best yield when focused upstream of a crisis point. In other words, waiting until just before disaster is waiting until it is too late. One must anticipate adverse events and act in advance in order to channel them away from the worst of consequences. Prevention is best and most affordable when performed early, before a crisis has become apparent.

Third is a focus on relative costs and benefits. As a colleague in the protection business used to point out, suicide is a permanent solution to a temporary problem. The application to preventive action for situations less dire, such as protecting one's retail business, or trade secrets, or even for defending against some sophisticated form of reputational risk calls for similar taking of stock. What is the cost of neglecting security contrasted against a catastrophic loss? If we don't know or haven't thought this through, then we are most likely contributing to an unwitting acceptance of such risk. This is akin to the myopic perspective of a self-absorbed, callow teen obsessed with eluding temporary, often exaggerated torments through immolation without regard for the pain that suicide causes to others or the variety of alternatives which could not only have solved the ephemeral problem but ultimately led to the sweet self-satisfaction that maturity finds in another aphorism: Living well is the best revenge.

Here, in a nutshell, is the derived prescription for recharging the protective batteries of one's security prevention program for the holidays:

1. Adopt a can-do attitude based not on wishful thinking but on a candid appraisal of alternatives.

2. Focus prevention efforts upstream of the crisis point. Do the little things in advance so as to face less of a herculean obstacle just before all hell breaks loose.

3. Weigh relative costs against benefits, with an eye to long-term benefits. Remember that the cost of not taking prudent, preventive action is likely to outweigh the expense if the net result of inaction proves to be a catastrophic consequence.

Happy holidays.

-- Nick Catrantzos

Sopko Seeing Cash Cow in $34M White Elephant?

Why would Pentagon brass soldier on with construction of a multimillion dollar building in Afghanistan for a U.S. military that did not want it or had no reasonable expectation of taking up beneficial occupancy as America was announcing plans to withdraw from Afghanistan? John Sopko, Special Investigator for Afghanistan, raised this question before and, after being stonewalled with a perfunctorily report of the military's own inquiry into this matter, Sopko is back. (For details, see http://www.foxnews.com/politics/2013/12/05/miltary-watchdog-to-re-open-investigation-into-millions-wasted-afghanistan-hq/?intcmp=trending) Sopko's probe is no small task, and the answers and support that have eluded his efforts to date may signal a greater deception than mere bureaucratic stonewalling.

A look at the built-out but unoccupied facility cannot help raise eyebrows. If pictures shown in an unintelligible mangling of the original news story are better than the story's atrocious English (at http://www.daytodaynews.com/topstories/34m-white-elephant-watchdog-to-re-open-probe-of-unused-military-facility.html ), then the building looks like an ordinary administrative facility, rather than some exotic laboratory or production plant whose price tag traces more to the contents than to the structure of the complex.

Let us thread together some logical premises and conclusions to infer what dark current may be running beneath the glittering surface of what looks like a $34M waste of construction funds.

First, if the story Sopko unearthed so far is true, one military general has already gone on the record to rate this facility unneeded and undesired. That it also remains unoccupied only adds to this general's credibility.

Counterbalancing this general officer's doubts over the operational value of the facility, the Pentagon's internal probe of this expenditure apparently concluded that the construction was warranted and the expense justified. Now, assuming that generals do not reach flag rank by being stupid or demonstrably disingenuous in the face of legitimate audits, what legitimate reason could there be for one general's studied and fully staffed report to contradict a field general's unvarnished assessment of operational value?

The only category of answer that makes sense is this: There must be a higher, prevailing national interest at stake. And what might the face of that overriding national interest look like? It could very easily look like what may be variously called, on a scale of euphemistic intensity, offsets, facilitation payments, bribes, payoffs, kickbacks, or extortion payments.

In the United States and for U.S. companies, the Foreign Corrupt Practices Act exists to curb the predatory impulse that leads some businesses to win contracts by lining the pockets of the entity awarding the contract and some customers to deny business to any entity that refuses to supply some kind of requested kickback. At its most benign, this process results in U.S. sales to foreign clients on condition of offering certain offsets to the high cost of items sold. Such offsets could take the form of assembling some components of a U.S. product in the buyer's country or accepting as partial payment some natural resource or manufactured goods that the buying country has in abundance. Thus, the buyer's sticker shock is offset with local benefits, like jobs for its citizens or an artificial market for goods that are not selling well on their own. Such arrangements could, at least theoretically, explain why a struggling Latin American country bought its jet engines from France instead of Britain or the U.S. because the French were willing to buy more bananas and set up an assembly facility in-country, whereas their competitors were slow to warm to such an arrangement. So much for the benign approach to offset, which may well be structured in legitimate and transparent terms.

Where does the ethically challenged version creep in? Countries run by plundering oligarchs are notorious for giving bidders to understand that it is impossible to do business in their country without having a local office run by a local national. Unsurprisingly, the best if not only such local office invariably ends up being operated by a government official's family member or tribesman. A commission, or facilitation payment, is expected to go to such an office, and woe to the international business that tries to compete only on the basis of product quality and competitive pricing. It soon becomes clear to serious business people from the outside that the only way to obtain business in such an arena is to pay. Such payment may take the palatable form of facilitation fees charged by a local office acting as middleman and perhaps even providing actual value. However, it may equally transpire that the business finds itself compelled to pay the same fees for no service at all. This becomes the cost of doing business in that particular market, no matter how unpalatable it may be. And some of the recipients of such payments are less subtle and more demanding than others.

Look to the contract and to where the bulk of the $34 million has gone since this white elephant of a building was commissioned. Was this a glorified cash-for-poppies program crafted to supply Afghani villagers with an alternative means of making a living in exchange for backing down from their opium trade? Was it a payoff to regional panjandrums to buy their cooperation or at least reduce their targeting of American combat troops? Or was it part of a quieter, national leadership arrangement to "facilitate" arriving at a desired level of cooperation with Afghani officials in positions of influence?

The Sopko probe may have been stalled, but it appears as unyielding as the Chinese water torture and, as long as it is not completely halted or undermined, it will eventually bring to light some instructive findings.

-- Nick Catrantzos

When Domestic Spying No Longer Intelligence

An Argument Not about Civil Rights but Competence

When NSA, DITU (more, below), and other technical collectors of electronic data engage in gathering up every e-mail and telephone communication they come across, then they are engaged in data vacuuming, not intelligence. Why? By definition, intelligence is analytical, selective, and differentiated from mere accumulation of data. What distinguishes intelligence is the infusion of analysis with a focus on satisfying collection requirements that serve the national interest. In other words, intelligence is akin to asking a relevant question, taking down the answer, and corroborating and weighing that answer before weaving it into a report on (usually) foreign activities in order to inform the decisions of our own national leaders. (For a distinction between intelligence and information, consult a brief, accessible monograph by the U.S. Coast Guard, Coast Guard Publication 2-0, Intelligence, May 2010, available at http://www.uscg.mil/doctrine/CGPub/CG_Pub_2_0.pdf )

When the National Security Administration, a domestic signals interception arm of the FBI called the Data Intercept Technology Unit, or any other government service sets itself to collecting every available signal first, in hope of sifting through it later for potential intelligence value, this process turns into routine fishing in a boundless sea. (See this November 21 article in Foreign Policy for fresh details: http://www.foreignpolicy.com/articles/2013/11/21/the_obscure_fbi_team_that_does_the_nsa_dirty_work ) The process takes on the appearance of a horde of minions too unsophisticated to ask questions and work with the answers who instead resort to copying and scanning every book in sight on the theory that someone, somewhere will find some important answers in all this -- eventually. After all, if there is enough horse manure, there must be a pony here, somewhere.

What perpetuates this rote collection is that data vacuuming like this is not entirely without value. It may indeed supply some intelligence yield once sifted, analyzed, and, where possible, woven into an overall fabric that forms the larger tapestry of a meaningful intelligence estimate. Absent this weaving process, a step easily bypassed in the zeal to vacuum all data in sight, this data collection threatens to turn into a perpetual pulling of loose threads to stuff into a room which takes on the character of a hoarder's clutter rather than an executive's reference library. This recalls the kind of problem that may have led management authority Peter Drucker, in his final years, to observe that in modern information technology (or IT), there is a tendency to find more T than I (Management Challenges for the 21st Century, NY: HarperCollins, 1999, pp. 97-99).

The problem is that just because technology enables doing something on a massive scale this does not mean that the doing will necessarily result in a worthwhile yield. Indeed, one must ask whether the modest or unassessed yield is in proportion to its cost, whether that cost be measured in dollars, staffing, civil rights, public confidence, or all of these. When it comes to thwarting terrorist attacks like that of the Boston Marathon bombings, a dispassionate observer could argue that all the signs were there and yet all the capacity to intercept communications of or about the bombers failed to deliver a protective or preemptive yield. To say that these attackers got lucky, fell through the cracks, or otherwise eluded preemption because no system is perfect is to nevertheless highlight how massive post-9/11 data vacuuming appears to leave us with the same vulnerability that existed before we had this capacity. Maybe we have lost our focus. Perhaps we are diverting too many resources to solving the wrong problem. Making intelligence serve preemption may be a higher value than data vacuuming for its own sake.

Just because someone gives you a crutch, you don't have to break your leg. In a sense, data vacuuming on a massive scale is to NSA what behavioral detection has become to TSA (about which more earlier this month in this blog under Blame Detector, Not Behavioral Detection): a potentially useful tool being misapplied. What remains to be seen is whether this tool is an instrument of intelligence or an unfocused, unaccountable exercise in wielding technology just because it is there. Intelligence is more than raw data; it presupposes interjection of mind into the swirl of events, and not just the promise of eventual synthesis and analysis. Mere data vacuuming on a massive scale hardly measures up well in passing for intelligence.

-- Nick Catrantzos

Knockout Game Defense

Recent media coverage of unprovoked attacks by urban teen males against unsuspecting targets center around the brutish pastime of felling a passerby with one punch while at least one confederate captures the action via mobile phone video. Look up "knockout game" in Google and YouTube for descriptive details and videos. In terms of personal security, however, such topical treatment of the attacks does little to inform one's defenses. Where does one look for ideas on how to minimize the chances of becoming victimized by a knockout game enthusiast?

Consider other violent attack trends across the years and continents, and enough common features emerge to enhance diagnostics and defensive prescriptions. In the 1800s in India, thugs started murdering British expatriates, combining ritualistic strangulations with mercenary theft in the process of disposing of their victims. Eventually, the British focused legal and military resources to eradicate within six years a thug threat that had persisted for more than two centuries. However, before this eradication campaign could begin, the British first had to recognize the problem, and it took over a year to admit its existence. One can only imagine that, after Clive had missed multiple polo matches, gins and tonics, and the occasional business meeting at the East India Company, his colleagues raised an eyebrow. After Simon and Nigel similarly disappeared within a few months as well, their murders must have become impossible to write off as misadventure from getting lost in the bush. (For illuminating details on this thug experience, consult J. Coloe's 2005 master's, thesis, "Government actions in the demise of the Thugs [1829-1835] and Sikh terrorists [1980-1993] and lessons for the
United States," Naval Postgraduate School, Monterey, CA.) For our discussion, however, the first point is this:

1. Recognize the problem and the threat.

The difficulty in applying this lesson to the knockout game is that news reports vary widely in how they characterize these attacks. Some say that the attacks are completely random and are performed by "troubled" youth. It is unhelpful to defenders that such reporting glosses over descriptions of attackers and often omits similar identification of targets, ostensibly to protect identities of minors who are carrying out the attacks and to protect the privacy of victims. However, as reporting starts to produce more specifics, a pattern emerges, as noted by expatriate New Yorker Thomas Sowell, a celebrated economist, emeritus professor at Stanford, and Harlem native who overcame more than his share of prejudice while growing up in a tough neighborhood. Sowell points out that the attackers are blacks and their targets are Jews, at least in New York (details at http://nypost.com/2013/11/19/thugs-target-jews-in-sick-knockout-game/). Other targets to date have included women, the homeless, and unsuspecting white and Asian passersby, so Jews are not the only targets. The one common element that keeps resurfacing, however, is that the attackers are young, black males. Sometimes they appear in groups, with one breaking away to sucker punch an unsuspecting victim. At other times the attacker appears to be striking solo, while a confederate captures the punch on video. The emerging picture is that the assailant carries out the attack within the viewing range of his videographer, a peer who can frequently be overheard complimenting the attack once it gets posted onto Facebook or circulated via social media.

2. Spot the preconditions for an attack.

Based on attacks described so far, the knockout game needs an audience, a target, a viewing angle for video capture of the attack itself, absence of potential defenders or attack disrupters, and maneuvering room for the attacker(s) to approach and depart the scene with enough rapidity to minimize the chance of being caught or thwarted. This now begins to yield useful information for defenders.

The foregoing details allow us to infer, for example, that a knockout game attack is unlikely to take place in a boxer's gym, a fire house, or a cop bar hosting a promotion party for a favorite SWAT team member. Why? These are all places likely to be inhabited by people with good reflexes and trained response capabilities. Not only are they likely to see an attack coming, they are likely to engage and counterattack, leaving attackers worse off than they started. If this is true, then we may also reasonably infer that knockout game participants are risk averse. They do not look for a level playing field or a fair fight.

Similarly, we may infer that such an attack is unlikely to take place indoors or in a crowded area which would impede rapid exit. Getting away without a hitch is one of the unstated preconditions.

What about a very dark street or site experiencing fog, rain, or blizzard? This won't work for the attacker, either. Such conditions negate the video documentation objective, which is essential for bragging rights. If the street is too dark, even a cell phone with a flash won't help because the flash would attract attention, possibly putting the intended victim on alert that something is amiss. With bad weather, filming opportunities become even worse.

3. Analyzing the preconditions, learn what to avoid.

Avoid looking vulnerable in an open area away from possible defenders where any youth can approach you rapidly. You look vulnerable when you are alone and preoccupied (as with a cell phone or with body language suggesting that you are oblivious to your surroundings).

Watch out for a team of at least two young males where one has raced in front of you and is holding a cell phone pointed in your direction, as if to video some event where you are about to be a featured performer. Watch out particularly if the approaching young males are black and you are not.

4. Change the preconditions to limit your attractiveness as a target.

If you must venture into areas that are prime for a knockout game attack, go with one or more companions. Scan your surroundings as you move, projecting awareness and self-assurance rather than diffidence and distraction. If you are trained in and legally able to carry defensive weapons, keep them where you can use them instantly. If not, carry anything legal that can nevertheless disrupt an attack. This can be as simple as a small pocket air horn to make a loud noise that startles the attacker or even an atomizer of the strongest-scented Avon product you can find. Pepper spray may be handier, though. Above all, at the first sign of alarm, move away as fast as possible. Knockout game players are no evil geniuses following intricate plans. Change the preconditions, and you will most likely defeat the only attack scenario in their inventory.

What Not to Do

Ignoring the common features of attackers and of attack preconditions on the theory that basing your defenses on these things would make you too judgmental would certainly be an option. It is an option to embrace only at your own peril.

-- Nick Catrantzos

Good Security from Lousy Jobs

Security is a negative that can never be fully established, even if its breach or absence stands out like a tarantula on a wedge of banana cream pie. Any dilettante may spot a security failure, but even the best security expert will hesitate to proclaim a site, person, or operation entirely secure. In this context, it comes as no surprise that security invites opinions from all, whether expert or oaf. Why? Security numbers among the basics in the hierarchy of needs, falling between love and hunger (if the ghost of Abraham Maslow will permit this interpretation). And, as we have established above, even the unschooled may at least comment accurately on security failures, albeit they may lack the capacity to fix them.

Whence comes the capacity to perform troubleshooting and apply innovation to security problems? The answer may not be as intuitive as for other professions. The protection business, after all, still struggles for legitimacy in the realm of academic standing and industry credentials. True, there are security degrees and certifications. However, their presence or absence seldom proves dispositive in the hiring process. Verifiable experience in the area of urgent need remains the most important criterion in filling security positions. Unsurprisingly, security training tends to be narrow and task-oriented. The practitioner earning a living as an alarm technician rides that narrow expertise into a vice presidency. The one who starts out as a guard remains a perennial solver of all security problems by proposing to add more guards to the operation at risk. The cyber security practitioner spends an entire career defending data in electronic form. The defense contract security specialist makes a living complying to contractual requirements whose principal focus is administrative herding of classified material and all those who lay hands on it. How do any of these practitioners learn to tackle a workplace violence situation, a terrorist threat, a case of industrial espionage, or a sabotage attack by a radical group fiercely opposed to their employer's existence?

They learn one of two ways, if not both. Either they awake one day and find themselves assigned to handle the emergent security problem in one of those games of cosmic tag that the Fates handed them on the job, or they actively pursue the broadening of their security experience by working for a consultancy. The first is an act of chance; the second, of volition.

Consulting turns out to be a lousy job for practitioners whose proclivities and capacity incline more toward problem-solving than business acquisition. On the plus side, a busy consulting portfolio exposes the practitioner to a broad array of clients, environments, and security dilemmas. Surviving in this arena is impossible without delivering value, which in turn compels the practitioner to learn more than the mantras of one security niche and to also employ critical thinking to address predicaments that bedevil clients. Thriving in this world, however, takes another set of skills, and these are only incidentally related to actually protecting people or property, namely, business development.

In other words, one must be able to sell in order to advance to the highest, best-compensated level of security consulting. Selling requires talking, listening, promoting, and persuading others to take a chance by engaging one's firm to provide services for which there is seldom an absolute guarantee. At its absolute best (which is an executive talent distinct from glad-handing, back-slapping peddling), this skill translates into becoming the client's trusted adviser who delivers intangible value beyond solving a single security problem. It takes finesse to do this well, and it sometimes takes a vast reservoir of confidence which suffers if needlessly burdened by doubts based on a deep understanding of security challenges. As a result, it often happens in the best of security consultancies that the person who sells the job and sustains the client relationship is not at all the same as the one who does the actual work and solves the security challenges. This situation can be hard on both the client-facing and problem-solving consultants, but it is harder on the latter.

To the security consultant in the business to protect and to solve problems, selling the work may appear unsavory or secondary, a lousy job. To the consultancy, however, getting business comes first. Without it, there can be no consultancy, no income, no professional staff to solve client security problems, no client -- nothing. The consultancy is a car where a business developing executive is the accelerator and a security expert is the brake. The car needs both to function effectively, but first needs an accelerator. Otherwise, it is not a car but a cart. And so the executive consultant whose greatest expertise is in selling services invariably bubbles to the top of the hierarchy, earning more compensation, status, and decision-making authority than the security practitioner who is expert at solving client problems but less proficient at capturing new clients. The practitioner in these circumstances makes his peace with his limitations of skills or career prospects, develops selling skill to match or exceed security expertise, or leaves for other work more suited to his capacities and tastes.

Security consulting can be a lousy job. It is by nature episodic, which means one is constantly biting into different problems without staying around long enough to digest an entire meal. Some practitioners find this aspect of the work too unsettling; they want to be on the ship when it sails. Others, however, find this work bracing and broadening. Success at security consulting brings with it exposure to more people, places, and protection challenges than a career with one or even a handful of employers would afford. It is a broadening experience akin to learning a foreign language and functioning in a new country. The practitioner who has been effective as a security consultant offers a broad knowledge base and aptitude for getting results when hired to direct the security department of a public or private sector organization. This is one way that even lousy jobs can ultimately contribute to better security: the consultant who is a refugee from those lousy security jobs appreciates the steadiness of the current employer yet brings a depth of experience unavailable to someone whose entire world view and knowledge base come from the same employer.

There is another value of lousy security jobs. Persevering through them to attain some objective measure of success eventually gives the practitioner a surer sense of self and more confidence in his or her own abilities. The net result is more security in one's own worth, a good thing to have that remains portable beyond a lousy job.

-- Nick Catrantzos

Blame Detector, Not Behavioral Detection

As the Government Accountability Office calls TSA to task for catching no terrorists and realizing no verifiable security benefit from its behavioral detection program, the popular temptation is to demonize the tool instead of its ham-handed implementation. (For details see http://p.washingtontimes.com/news/2013/nov/13/tsa-wastes-money-profile-passenger-behavior-report/ )

That would be a mistake, the kind that perpetuates the myth of racism reflexively attached to the term behavioral profiling out of a rash equating of all profiling with racial profiling. Let us begin by clarifying terms in order to put the pin back into the grenade that pejorative labels have become.

Racial profiling is stereotyping at its worst, usually associated with authorities singling out minorities for invasive attention or arrest on the basis of their skin color instead of on the basis of probable cause. This is reprehensible and inexcusable -- as is any abridgment of constitutional rights or due process under any smokescreen offered to legitimize it.

Behavioral profiling is altogether something else. Its only relation to racial profiling is that both terms use the word "profiling," which is not enough to make them synonyms. Otherwise, progressive agenda would be indistinguishable from conservative agenda, financial asset would be the same as financial liability, and confidence builder would be no different from confidence man. After all, one word is the same in each pair of two-word labels. Please acknowledge the weak logic behind making such definitional leaps.

No, behavioral profiling owes its place in the quiver of security arrows to Israeli security screeners for El Al, who are to TSA what a surgeon is to a butcher. The signature case establishing the security value of this technique involved catching a pregnant Irish woman with a bomb who looked nothing at all like an Arab and who did not herself know that she was carrying Semtex concealed in her luggage onto her flight to Tel Aviv. What happened? Her Jordanian boyfriend targeted this woman as an unwitting agent, wooed her, got her pregnant -- all purposefully in order to guarantee that she would fit no traditional stereotype. Consequently, detecting her by "racial" profiling would have been impossible if El Al screeners were only looking for young Arab males who fit some preconceived list of what a Hollywood filmmaker would ask Central Casting to use in advertising for someone who looks like a terrorist. So, the terrorist was himself betting on racial profiling and ready to bypass it.

Now we see where the behavioral clues took over to unmask this plot. The essence of the behavioral technique involves asking questions to pierce through the kind of cover story that villains must use in order to get through security screening. Using this technique is more akin to counterintelligence than police work. It takes a thinking questioner to drill down to the point of spotting where the cover story breaks down. And this requires a supple mind rather than the rote grinding through of a checklist. Thus, the El Al screener asks the purpose of the traveler's flight and engages in conversation to validate that the answers make sense.

In the case of the pregnant woman who was unwittingly carrying a bomb, her story just did not wash. She was going to meet her fiance's family, but he was traveling by separate flight. She was going to be met by people she did not know and did not have enough money even for cab fare. In reality, she was in love with the boyfriend and father of her child and, as a result, was understandably gullible. Not so for the El Al screener, however. Spotting the inconsistencies in her story, he used the behavioral technique to flag this passenger for extra scrutiny. This scrutiny, in turn, found the Semtex before it made its way into the cabin to detonate in flight and take over 300 lives. (For details on this particular case, look up the 1986 Hindawi affair and the name Ann-Marie Murphy, the pregnant woman, and her paramour, Nezar Hindawi. A place to start is http://en.wikipedia.org/wiki/Hindawi_affair)

Bottom Line: Behavioral detection works, if properly implemented.

Two big hurdles for the Transportation Security Administration limit effective TSA use of this technique. First, the persistently negative popular association that clings to every appearance of the word "profiling" makes it almost impossible to discuss this matter without unleashing a torrent of diatribes against the evils of racial profiling. Even when true, these accusations are beside the point and an argument unrelated to security screening. A related problem, though, is that the masters of this technique have a fondness for the word "profiling" when describing and teaching what they insist on calling behavioral profiling. To its credit, TSA has rebranded this method as behavioral detection, but the old term survives and all the baggage of "profiling" taints serious discussion of the technique's value and proper application.

Second, TSA implementation of behavioral detection is what merits closer attention than a technique itself which has been proven in the crucible of aviation security. If a technique works but the people applying it don't, we must ask what is wrong with the larger picture.

Behavioral detection is like a medicine capable of curing an infection. It is not enough to prescribe the medicine. It is also necessary to administer it properly, to take it the right way at the right time. An analytical observer would do well to see how an El Al security screener applies behavioral detection and then compare a TSA screener's approach. The screeners may be the same age and test at similar IQ levels. However, they operate in different environments, under different expectations, and with different enabling or constricting circumstances. The Israelis cannot afford to make a mistake. They live under omnipresent, existential threats. They also operate with more responsibility and with bosses and customers who trust them with life and death decisions. What about their TSA counterparts? Reports to date suggest that TSA screeners operate at a much lower level of discretion, responsibility, and applied judgment. Behavioral detection requires more than just following a checklist, more than a go-to-the-freezer-and-get-the-box mentality that sets apart a chef from a warmer of TV dinners. Both screeners may ultimately come from a gene pool that is more similar than it is different, but their management and training are critical in distinguishing between success and failure when it comes to applying a useful technique.

The GAO indictment of behavioral detection is misplaced. It is not the technique that deserves to be questioned so much as the management and context of its implementation.

-- Nick Catrantzos

Security-free Pedigree for Heads of DHS

A subtitle could be DHS Execs: Video Gamers in a Contact Sport.

The ostensible leadership of the federal monolith charged with protecting the United States against existential threats at home continues to fill its executive ranks with people whose security expertise is either inflated or undetectable. The net result is akin to appointing a couch-addicted video gamer as quarterback for a team entering the Super Bowl. He may be fragile, but at least he has no arm, no legs, and no grace under pressure, even if his thumb-to-joystick coordination is world-class.

Enter Jeh Johnson, the latest attorney and bureaucrat to contend for stewardship of the Department of Homeland Security without the burden of ever having been responsible for actually protecting people or property. Raising campaign funds, prosecuting felons, haggling with other lawyers, and occupying sinecures doled out after successful political campaigns by grateful principals may certainly qualify an individual for patronage and the trappings of high office. Nevertheless, these talents fall short of bringing subject matter expertise to the job of protecting America from existential threats at home.

In this lack of anything properly describable as professional capacity, however, Mr. Johnson is neither unique nor especially reprehensible. Just because he has no experience protecting anything, this does not separate him markedly from his predecessors for one main reason: Neither were they. After all, prosecuting felons, the closest most of them have come to what the media confuse as a security role, has as much to do with preventing an attack as an autopsy has to do with saving a patient's life.

Prosecution does not happen until after a loss has occurred. Consequently, it does nothing to prevent the loss. At theoretical best, prosecution serves a societal objective of making villains pay for their misdeeds and perhaps -- a big and oft-debated perhaps -- deter future malefactors from committing the same crime. Thus prosecution may contribute to public safety. It does little for protection, for security. This is why, at least in the private sector, security departments earn their keep by preventing losses from occurring in the first place rather than by chasing down the people responsible for causing those losses. Prevention, in other words, trumps apprehension. In the vast majority of cases, the time, resources, and expense of hunting down the people responsible for causing a loss are wildly out of proportion to the return for such efforts. Not only is an ounce of prevention worth a pound of cure, but in security the prevention is desired and affordable while the cure is a luxury that comes too late if the patient, i.e. the business, is already dead or on a morphine-drip after a catastrophic loss or attack has taken place.

So, why hire non-security professionals for what may well be the nation's top security job? Given the consistency in the pedigrees of all DHS secretaries to date, one must infer that the real recruiting criteria are not so much about protection and prevention as about other things. What are those other things? I submit that there are three true qualifications in demand.

1. BELTWAY PILOTING SKILLS. A South Korean general who pinned on his first star within a year of Jim Clapper, before either foresaw the latter's rise to Director of National Intelligence, once told me this: "Colonel is military rank. General is political rank." The top DHS job takes and confers political rank. Any office holder expects to spend more time testifying before various House and Senate committees or managing the relations between DHS and Congress than actually doing productive work in his or her office. Consequently, in order to navigate successfully through such waters, the Secretary of DHS must be a pilot who knows the political shoals and landscapes. He or she best does this by, well, being cut from the same cloth, by being one of them. And most of them are lawyers who have spent the bulk of their careers in the public sector -- just like every Homeland Security top executive and candidate for that office.

2. PERSONAL RELATIONSHIP AND SUBORDINATION TO THE BOSS.
The only possible exception to this criterion -- and only to a part of it -- was the first DHS executive, Tom Ridge. He was more of a peer to President Bush, having met and interacted with him when both were state governors. Consequently, when the out-of-office Governor Ridge needed a job and President George W. Bush needed the first DHS cabinet secretary, Ridge came in as a known to Bush. The two eventually grew to have their differences, but Ridge never directly showed insubordination to his boss. Subsequent incumbents were clearly more subordinate and beholden to their patrons. Michael Chertoff owed Presidents Bush (father and son) for some of his career appointments, and he was arguably the most cerebral and accomplished of DHS secretaries and candidates to date. Janet Napolitano, unlike Chertoff, had been elected to higher office as a governor, yet had no ostensible time in a peer relationship with her patron, President Obama. She did endorse him when he was a presidential candidate, as did Jeh Johnson, the latter also having raised funds for Obama's campaign. Both Napolitano and Johnson supported and benefited from ties to the Clinton administration and Democrat party affiliation, just as Ridge and Chertoff did from Bush and Republican ties. Manifestly, then, political acceptability and familiarity to the appointing boss, whether Democrat or Republican, appears to be a more important selection criterion than, say, demonstrable security expertise.

3. MARQUEE VALUE BENEATH THAT OF THE BOSS. Again, Ridge may have been a partial exception to this criterion in that he entered the office after having been a peer of the president who appointed him. Nevertheless, he and all successors remain presentable to the media, Congress, and the public while never rising to the kind of prominence that would eclipse that of the Commander in Chief. To explore this criterion, consider who the Secretary of Homeland Security has not been. After 9/11, the most prominent and publicly intuitive pick would have been Rudolph Giuliani. Not only did he turn around crime-related decline in America's largest city, he showed leadership in the aftermath of the 9/11 attacks, earning the sobriquet, America's Mayor. Anyone with direct exposure to this individual, though, has also been exposed to an out-sized ego and work habits that were likely more chaotic and incompatible to those of President Bush. A look at Giuliani and at either Bush or Obama, however, soon foreshadows incorrigible unreconcilability. Having himself contended for the office of President, Giuliani would invariably threaten to steal the thunder of any Commander in Chief. Since the latter remains a political office, too, no incumbent would embrace as Secretary of DHS a person who might intentionally or otherwise redirect limelight away from the nation's chief executive.

With criteria such as the foregoing in play, is it any wonder that traces of actual security competence end up ranking so low on the list of selection criteria as to belong in the nice-to-have-but-not-essential category?

-- Nick Catrantzos

What Traffic Accidents Can Teach about LAX Shooting

In a nutshell, we must learn to calibrate our reaction thresholds to expedite timely return to business as usual. It worked for Churchill in WWII. It can work for America in the age of terror.

In communities where a highway fatality is rare, authorities reflexively close down an entire stretch of freeway to accommodate a painstaking and time-consuming accident investigation -- no matter what the expense or impact to commuters. In larger metropolitan areas where such events become so commonplace that commuters actually urge suicidal pedestrians to just jump off a highway overpass in order to end traffic congestion, the response tends to be different. Over time, seasoned patrol officers learn how to handle their investigation and protect the public while still managing to keep traffic moving. It isn't easy, but this latter response does take a certain finesse and savvy. It also takes judgment and insight to recognize the diminishing return of overreaction. Unnecessarily tormenting commuters with road closures to prolong an accident investigation is the kind of mindless move that telegraphs either insecurity or abuse of authority once such action begins to amplify more problems than it solves. There is a prudent middle ground between ignoring a corpse until after rush hour and choking all traffic to the point of turning a commute into a day-long experience. No thinking individual does either.

So what should a thinking official do when a shooter at an airport such as Los Angeles International (LAX) kills a TSA employee and wounds other unarmed people before himself being wounded and apprehended? The situation certainly dictates immediate tactics. Rapid cognition combined with savvy assessment should indicate whether this event has the markings of a terrorist attack with wider ramifications. On the surface of initial reports as of mid-day November 1, 2013, such indications were absent. Whatever targeting goes into a sophisticated terrorist attack, it is unlikely to be the work of a major terror plot if the only apparent casualties were TSA screeners and passersby. Any attack is tragic for innocent victims, but a strategic attack aims at a bigger target, more casualties, and a more shocking impact.

In the absence of such features, one must question the wisdom of shutting down incoming or outbound air traffic for LAX -- particularly if the attacker and weapon were both captured. If there were indications of an explosive device making it to an aircraft, of multiple shooters dispersed throughout LAX, of secondary attacks in progress, or of linkages to a coordinated attack against LAX or other airports, it might be wise to suspend airport operations long enough to protect people and render safe any dangerous devices. Absent such things, though, disruption of LAX operations under the banner of security appears more reflexive than wise. It is reflexive because, given a choice, authorities gravitate to the option that will shield them from liability and negative press. They don't want to face accusations of not responding vigorously to a visible threat, so the natural reaction is to make up for deficient planning and defenses by ostensible overkill.

Is the reflexive response the right one? An airport which averages one outgoing flight every 55 seconds and is the third busiest in the country cannot and should not embrace reflexive shutdown without regard for the cascading impact that this action produces nationwide for commercial aviation.

Sometimes the reflexive and convenient and risk averse response is precisely the wrong one. Shutting down flights and significant parts of LAX operations in knee-jerk response to this incident -- unless justified by threat intelligence not made public -- appears to be exactly the kind of response akin to closing down an entire big city freeway all day to investigate a single accident whose cause and effect have been 80% assessed within the first hour. On the surface, such overreaction appears less than wise.

-- Nick Catrantzos

Dummy Cameras and Symbolic Security

The subtitle should be, "Whom do we think we're fooling, and how does this serve our security objectives?" Let us begin with a few cases from the real world.

A FACILITY IN THE WOODS

A research facility that once engaged my consulting firm to help defend against ecoterrorist attacks had some executives who wondered aloud about the merits of stretching their security dollars by putting up dummy video cameras interspersed among functioning devices installed for perimeter intrusion detection. This was a bad idea. Why? If they had accompanied their junior and middle managers to the field for a reality check, as I did, they would have seen that the only consistent attention drawn by such dummy cameras was for target practice. My local guide, a field supervisor and long-term company employee, pointed out how the only value realized from a former executive's bright idea about installing dummy cameras at the corner of a tree farm was that these devices drew most of the rifle fire that would have otherwise been aimed at a ground-level access hatch to a utility connection. The supervisor ruefully noted that executive management tended to ignore his input on the effectiveness of these dummy installations, perhaps because he lacked the organizational authority that comes with more senior rank. He wondered if the same advice from an external consultant, me, might not find a more receptive ear in mahogany row. So did I. It did. The executives quietly buried the dummy camera idea.

A SCHOOL IN THE DARK

A colleague found himself advising a public school on what to do about security lighting for a facility repeatedly struck by burglars and vandals at night. His client, having read up on crime prevention through environmental design, reasoned that protective lighting would deter intruders because it would increase their chance of detection, hence their risk of apprehension. So the client dutifully surrounded the school with extra floodlights, arranged them to avoid glare that would affect surrounding homes, and asked for the lighting contractor to make sure that the light was of the proper illumination and strength to provide deterrence. The intrusions and losses not only continued but started to increase. Unlike his client, my colleague actually went to the school at different hours of the day and night, first to measure the lighting strength in foot candles and then to determine whether there was an undetected flaw in coverage. Perhaps a gap in lighting had inadvertently surfaced to provide intruders with concealment that had gone undetected. No, that was not the case. What had happened? My colleague roamed around the school and the entire neighborhood before figuring out that the school lighting was acting not as a deterrent but as a beacon. It was attracting burglars and vandals, illuminating their target and facilitating their movement once on the premises. What did he advise? He had the school try shutting off the floodlights and all but a few motion-activated lights in order to see what would happen. As a result, intruders moved to other, better lit targets. Problem solved.

A NUISANCE CORNER

A home I once had rested on a corner lot where trees and ivy looked presentable during the day but started attracting juvenile loiterers at night. The kids started gathering in that spot, leaving beverage cans, cigarette butts, and other detritus that only a future archaeologist might find noteworthy. Why? It was just out of the cone of illumination of the nearest street light. Thanks to the know-how of a visiting relative, I had the help it took to install floodlights along the dark corner of my home, but this project triggered a debate. My relative suggested using a motion-activated sensor to switch the lights on when kids passed the side of the house. I voted for a light sensor that switched them on automatically at night. Since the house and expense were mine to bear, my vote was decisive. This decision also worked and saved money. How so? My option worked like the street light that the kids were avoiding by hanging out at the side of my house. By turning on automatically as the street lights turned on as well, my new lights instantly removed the attraction that was drawing the kids to my corner. So they shuffled off somewhere else. If I had relied on a motion sensor, chances are the kids would have been able to figure out how to bypass the sensor and still manage to keep loitering in the same general area -- unless I installed a lot more motion sensors. Then they would have also had the option of entertaining themselves by seeing how many times they could trigger the sensors on and off. In any case, turning sensors on and off this way would sentence my family to the annoyance of constant clicking sounds and would likely wear out my floodlights faster, at greater expense. Turning the lights on automatically at night kept the loiterers from approaching in the first place -- something the motion-activated option would not do equally. One option was tailored to solve the problem. The other option was not as thought out as it was reflexive.

LESSONS

Symbolic security offers more value to its advocates than to targets needing protection. And it does this by generating two kinds of expense. First, there is the direct cost of symbolic security: the cost of installing, operating, or replacing dummy cameras, lights, and any other stage management expenses of security theater. Second, there is the less tangible yet more corrosive damage to security's credibility and to voluntary adoption of security recommendations by a targeted population turned into reluctant, jaded customers. That is the real cost: losing the people whose voluntary compliance is vital to defending against threats.

WIDER APPLICATION

Look at any overextended, intrusive, and costly program unburdened by metrics or demonstrable returns yet perpetuated under the banner of security. Some aspects of TSA screening and NSA data vacuuming come to mind. Are the programs delivering results in proportion to what they are costing us? Or, like dummy cameras and symbolic security, are they fooling only those who perpetuate them while the real villains safely smile from a distance, patiently devising the next attack and watching defenders chase their tails?

-- Nick Catrantzos

Odd Signals in Plea for Missing Teen's Return

Emotional situations bring out irrational statements, but word choices can still signal things like collusive knowledge, deception, or inconsistency worth investigating. And there are a few such signals in the publicized plea of Zenya Hernandez' televised appeal for the return of her missing daughter Abby, of North Conway, NH. (For a video clip of this appeal, see the last third of this news report: http://www.necn.com/10/12/13/Missing-North-Conway-NH-teens-mother-ple/landing.html?blockID=854999)

The mother begins with, "I want to say please come home. We miss you so badly. We want you back with us."

What 's wrong with this? In content analysis to detect deception, there is a truism that the shortest path to the point is the best and most likely to be truthful. Thus the introduction of extra, unnecessary words constitutes a red flag that deserves scrutiny. Instead of saying right out, "Come home," Zenya Hernandez started out with "I want to say." This dilutes what follows. Indicating what one "wants" to say is not quite the same as just coming out and saying it. It is as if the speaker acknowledges that a want does not always translate into a need or a reality. I want a tax-free inheritance from an unknown benefactor. This does not mean I expect it to happen. If I state that I want to say something, this opens the possibility that I want to say it but feel that I am not really saying it voluntarily. Similarly, we must ask whether Mrs. Hernandez is making this opening statement because it is expected of her, rather than an accurate representation of other thoughts she possesses.

More telling still is an immediate shift in pronouns, which is also revealing, The mother's reference to herself with the personal pronoun "I" starts and ends with announcing what she "wants" to say. Then she immediately shifts to the plural with "we." This could be revealing. What does she mean by we? Someone who forms part of that "we" probably does miss Abby and does want her back. The question is whether that intensity of feeling extends to the mother equally. It may be possible that there are some hard feelings between mother and daughter -- certainly nothing unexpected between parents and teens -- and that this relationship has colored the mother's statement, even if she is completely blameless and sincere in wanting to be reunited with her daughter. But it bears probing to learn whether the mother may be withholding some useful details about a recent argument or conflict that may have in some way influenced Abigail Hernandez's disappearance.

Towards the end of the video, one more snippet invites extra scrutiny. Specifically, in making the now standard appeal for anyone who knows something to share this information with authorities, what does Mrs. Hernandez say? She asks for anyone who "knew" Abby to come forward, not for anyone who "knows" her daughter. Changing tenses this way may be significant, a possible indicator that the mother is already thinking of the daughter in the past tense, too. What makes this a red flag? Susan Smith spoke in the past tense when making a plea for return of sons she knew were already dead.

None of these things amounts to a smoking gun. Stressful circumstances can produce different responses from different people. However, the foregoing anomalies do suggest that there may well be more to this story than investigators have received or communicated openly so far.

-- Nick Catrantzos

Why Grill Embassy Bomber Abu Anas al-Liby?

The alleged mastermind behind U.S. embassy bombings in Kenya and Tanzania, now captured, is about to experience a legal circus that comes with any trial of a notorious character. Politics aside, is such a trial a good idea from the perspective of gaining intelligence out of him?

To answer this question, one must first come to grips with what intelligence he has to offer. There is tactical intelligence about impending attacks, active networks, methods, logistics, and financing. Strategic intelligence may include insight into long-range plans, support networks, and identification of terrorist leaders and their vulnerabilities. As for the 15-year-old attacks themselves which have already been investigated and studied, there is still something important he can reveal. Specifically, the details of his target selection process can inform our future defenses. Why is this important?

In the unclassified world of security thought and rumination, it has long been held that terrorists bent on attacking U.S. embassies in Africa zeroed in on perhaps four likely targets and then ultimately chose Kenya and Tanzania as the easier targets. We think -- or have speculated -- that the target selection process boiled down to picking softer targets where security was more relaxed because there had been no attacks or threats of attack prior to the targeting. Effective interrogation of Abu Anas al-Liby can illuminate this inference, thereby giving us useful insight into how terrorists pick their targets.

Now, if this individual has valuable information, will a public, media-rich trial contribute to or inhibit loosening his tongue? Individuals with a prosecutorial bias will argue that trials do wonders to encourage captured traitors to talk. To some extent this argument has merit. The reason is that traitors who are caught generally have nothing left to trade that the government cannot confiscate. Why would they want to trade anyway? Usually they have one or more family members left devastated by their act of treason, and trading something of value is all that they can bargain with to keep authorities from legitimate confiscations that can be exceptionally hard on these families. Thus, the traitors' one card to play becomes cooperation in failure analysis aimed at determining what happened and how much damage the traitor actually caused. This is called damage assessment, and a trial can nudge traitors into cooperating in damage assessment as a condition of a plea bargain. Traitors know that they face a life sentence if not execution, so sentencing offers little incentive for cooperation because it just does not change. However, in exchange for full cooperation in the failure analysis debriefings, traitors can sometimes get authorities to go easier on the family members who had nothing to do with their perfidy, as an alternative to, say, leaving spouses homeless and destitute.

What about terrorists attacking Americans abroad who have no such ties within our country, however? Sadly, an American trial offers no such inducement to cooperate. Indeed, it offers counterproductive incentives to turn a legal proceeding into a platform for railing against the United States and chanting manifestos in an effort to rally like-minded and aspiring jihadists. Meanwhile, prosecutors eager to honor the playbook of legal fairness accorded U.S. citizens deserving protections under the law, may well bar legitimate intelligence interrogation on the theory that this may impede successful prosecution. Alternatively, if the embassy bomber were to publicly disappear, materializing in a facility approximating Guantanamo where he could be treated humanely while facing questioning that will take as much time as he has left on earth, perhaps he will disgorge information that will save American lives.

Prosecution is a fine objective, but it does not take on the same priorities as protection, and protection accords a greater premium to preventing the next attack than to avenging the last one.

-- Nick Catrantzos

What If Shots Fired at Your Shopping Mall?

When I used to consult for large organizations to advise their employees how to stay out of harm's way in dangerous places, the primary concern was travel to unstable countries. Today, similar worries extend to places like shopping malls, yet some of the advice from my corporate engagement was equally welcome by a concerned shopper with fears springing from the mall shooting in Kenya. Here are three of my top ten tips that apply to the situation we all face today.

Rule 1: Always go in the direction opposite trouble rather than toward it.

Rationale: People are curious creatures. Our natural inclination on hearing some commotion is to approach its source to see what is going on. For personal security, this can be a deadly mistake. Bodyguards learn to stay focused on their principal, no matter what noise or distractions are taking place. They train themselves to make protection their overriding priority, to move the protectee safely away. Similarly, the noise of gunfire should not magnetize but repel you. While the naive cannot help but be drawn to the commotion, making themselves targets in the process, smart survivors react by getting out of harm's way.

Rule 2: Trust your instincts about danger. Looking silly beats getting hurt.

Rationale: Humans process some clues faster subliminally than via time-consuming application of logic. A story in Gift of Fear, for example, recounts how a woman who was carjacked outside an ATM experienced a feeling of unease while waiting for her boyfriend to withdraw his cash as he left the engine running and the car unlocked. Only after debriefing did the woman realize that what had triggered her visceral anxiety was that she saw a glimpse of an approaching figure wearing jeans -- the carjacker -- but had not had the luxury of time to reason out that her instincts had activated because her boyfriend was not wearing jeans that day. The point is that if she had trusted her instincts without delay, she would have locked the car with the push of a button instead of experiencing a tense encounter with a dangerous villain. The same applies in cases where people routinely override their instincts for fear of appearing silly or prejudicial, as when stepping into an elevator occupied by a hulking derelict or gang of kids. People do this all the time because they don't want to appear judgmental or to look silly and waste time taking the stairs or another elevator. But silly is better than hurt or dead. Isn't it better to defer your shopping, lose your place in line, and get rapidly out of Dodge at the onset of a mall shooting than to linger or worry about how silly you may look if overreacting? Considering the respective worst case scenarios, looking silly still trumps getting shot.

Rule 3: Move, move, move.

Rationale: This was a favorite tip from a friend and colleague I had lost touch with for over 20 years until finding him training executives and their chauffeurs outside the U.S. in how to use their armored limousine to avoid being killed or taken hostage. (Chauffeurs in particular needed more training, because their knee-jerk reaction was to avoid scratching the limo.) His point was that, outside of the movies, few adversaries have a Plan B. They prepare one main attack and generally stick to it. If you can disrupt that plan by getting away from the target area, in the vast majority of cases you will get away and the attackers will not keep after you. Besides, in the case of a mall massacre, the chances are that you are not being targeted specifically. In the terrorists' minds, any casualty is as good as another, and numbers count. Your objective, then, is to avoid being one of those numbers. Move quickly. You need not be as fast as an Olympic sprinter. You just have to be faster than the next victim who hesitates or wanders unthinkingly into the line of fire.

Bottom Line: Survival begins in the mind. There is always something that you can do to improve the odds in your favor.

-- Nick Catrantzos

Navy Yard Shooter's Background Check: Who Saw It Last?

The latest effort to point the accusing finger of blame at the contractor performing the background investigation of Washington Navy Yard shooter Aaron Alexis misses a critical point. The quality of any background investigation is no better than what the recipient of the data does with this information. And the ultimate decider using such an investigation to grant or withhold a security clearance is a government employee, not a contractor. This is an undelegable duty that government employees reserve for themselves, on the oft-touted and logically defended argument that there are some duties not to be passed on to the private sector.

Not that this argument is infallible. After all, when it comes to most work in the national security space, the people doing the heavy lifting behind the scenes come from the same gene pool and are more alike than they are different. One day they may be career government employees. The next day they may be contractors. In either case, adjudicators who review discrepant data surfaced by background checks to make a determination on whether to grant a security clearance do not need a corporate paycheck to make a mistake. Inertia, bureaucracy, and insufficient scrutiny surely do not bypass government offices to infect only the private sector. Indeed, private companies like background investigation firms have the wherewithal to inoculate themselves at least somewhat against bureaucratic ineptitude. They can fire incompetents. Government counterparts only sigh wistfully when daydreaming of imposing such involuntary career events in their work force.

Nevertheless, some mistakes and systemic failures infect the public and private sectors with equal regularity. One such instance is a chronic failure to do something about aberrant behavior on two fronts. One front is to simply use the tools available for what they were intended. A security clearance is not supposed to be a right or entitlement. It is and should be something for which one qualifies. Instability, insubordination, and multiple encounters with police associated with threatening behavior supply ample justification for withholding or at least suspending a security clearance. And while a security focal point in the private sector may have a hand in reporting such data to the government, the one responsible for doing something remains a government employee. The responsibility does not stop there.

This is the second front. One could argue that everyone working with or routinely encountering Alexis who witnessed his troubling behavior had some kind of obligation to do something, but what? A co-worker, whether a Navy employee or contractor could be obliged to approach management or security to report concerns about a potential threat to the workplace. Failure analysis will likely unearth stories of warning signs neglected or unaddressed by those with the power to intervene. What will the accused fall back on to excuse their failure to act?

Privacy. Confidentiality of medical information or personnel data. Individual employee rights. Fear of lawsuits arising from wrongful discharge or from allegations of discrimination. There is a common thread tying all such excuses. It is the loss of perspective which follows when organizations focus on individual rights at the expense of the more basic interests of the larger employee population.

Sure, no individual should be unfairly treated by being denied a clearance or fired from a job without good reason. However, in the knee-jerk emphasis of fairness and liability avoidance, organizations often lose sight of the larger consequences. And so, letting Alexis keep his security clearance, sweeping his threatening behavior under the rug of privacy or employee rights, and passing the buck for his next employer to handle what appeared to be chronic personal problems that were only getting worse -- all this becomes the default at work. And this is why it is ethically unsupportable to point the accusing finger of blame at a single contractor. Lots of fingers remain for pointing elsewhere.

-- Nick Catrantzos

"Won't listen? Then feel" Foreign Policy

I wrote these notes before Russia's Putin commandeered the world's stage about Syria. The press of other matters delayed posting, but my friend and colleague, Mark, read what follows and said it reminded him of his own father's approach to deterring undesired activity. If you won't listen, you will just have to feel consequences. No protracted debates. No soapbox sermons. Thanks for a more memorable subject line than something with the word lessons in it, Mark.

-----

Ah, the tumultuous Middle East, where villains savage their own rival tribes and issue death threats with all the gusto of a thespian preening for a debut on Broadway. How does one put the noise into context? Consider some events from recent history:

Hostile Talk

- During the Six-Day War, the Egyptian Air Force was proudly announcing air superiority of its fighter aces as Israel was neutering Egyptian air power.
- Circa 1986, as tensions between Libya and the U.S. spiked after a Libyan-sponsored bombing of U.S. servicemen in a nightclub outside an American military base, Qaddafi announced a "line of death" which, if crossed, would mean complete devastation for American forces. The latter bombed Qaddafi into silence, after narrowly missing him in an air strike that killed his son and obliterated any subsequent talk of lines of death.

Meaningful Action

- Earlier this year, after catching Syria in the act of arming Hezbollah with weapons whose target would only be Israel, Israel bombed weapons caches in Syria without fanfare or hesitation. Syria expressed outrage but knew better than to attack Israel in retaliation. Nor did war rhetoric follow from either side.
- In the days when kidnappings of journalists and diplomats were common fears in Beirut, legend has it that one terrorist group tried its hand with abducting a Soviet official. The Russians, as the story goes, did not engage in media pleas for release or hostage negotiations. Instead, they found the first relative traceable to the instigator, his nephew, and sent the nephew's private parts in a package to the instigator. The Soviet hostage was then released without fanfare or rhetorical exchanges in the press.

Lessons

Deterrence still works, but perhaps in inverse ratio to proclamation and palaver. Action still speaks louder than words, and sometimes loudest when uncluttered with words. In the foregoing cases of the Israelis and Russians, one may only wonder if the reaction by those on the receiving end was not something like, "Well, no one ever explained it that way to us before."

Even the French get this, which is why they see no double standard in calling us cowboys if we move without coalitions, United Nations' blessings, and favorable press. Meanwhile, whenever France perceives a threat to its interests in Congo, Algeria, or Mali, the French definition of nanosecond becomes the degree of hesitation they experience in worrying about such imprimaturs before sending in their expeditionary forces. And those forces go in, gloves off, to do a job -- not to send a message.

-- Nick Catrantzos

Lessons from Security Speed Dating

The notes which follow capture three memorable ideas, i.e. keepers, from an inaugural security industry forum in Tucson last week. Details of the event itself are at the end. The three points harvested fall into the categories of best self-introduction by a security director, best insight on active shooters, and best security-related product I wish I had in my last job.

1. Best Self-Introduction (as delivered by a retired police captain and current security director in Alabama):

"I protect people from the acts of Satan and the laws of Murphy."

2. Best Insight (about active shooters as noted in presentation by a senior security executive based on his experience in a number of fact-finding commissions after mass casualty incidents, including Columbine).

"Running away is a great option; every child who ran at Columbine is alive today."

The epiphany lurking in this observation is that it runs counter to the current trend to afford equal value to evacuation and sheltering-in-place as the default mantra security professionals have tended to chant when discussing basic options about what to do in any situation, including that of an active shooter attack. In reality, the statistics are starting to show that running away has a higher success rate than hunkering down, although that remains a second choice, and fighting is emerging as the third option to advise as a last resort. The bottom line is that running away deserves to take precedence.

3. Best Security-Related Product (as described by Sally Nordeen, Morpho Detection, snordeen@morphodetection.com, in a one-on-one session to answer questions): a handheld device for detecting anthrax and ricin that does the job in 40-90 seconds.

The product is about the size of a large cordless DeWalt drill (which means you can lock it up). It shoots a laser at the substance in question and can detect anthrax, ricin, and thousands of other substances on the spot. The device itself costs $35,000, which can be expensive or a phenomenal bargain. It operates on rechargeable lithium batteries and has a ten-year life. Its official name is the Street Lab Mobile. The manufacturer is Morpho Detection, a subsidiary of the French corporation, Safran. If these names are unfamiliar, it may be because the company started out as a unit of G.E. and was subsequently bought out by the French. Morpho's biggest customer is TSA, and its most recognizable products are the machines that detect explosives concealed in luggage at airports.

Why did I wish I had one of these in a previous life? Chemical and biological threats are hard to assess and usually require access to a Level 4 lab -- something few employers have. Most agencies must go through their local public health system, i.e. their local county health agency, to gain access to such capabilities. This in turn means a lot of time delay and multiple opportunities for bureaucratic missteps along the way, especially if there are several white powder reports raging through a given jurisdiction at the same time. About 95% of bomb threats turn out to be hoaxes, and the number goes up to near 99% for contamination threats. However, this does not reduce the need for a targeted organization to deal with the threats rapidly and effectively in order to limit hysteria, panic, and unintended consequences. If such a device works as advertised, it would have been a godsend when I was in charge of security at a regional water utility. It would have also spared my employer from the endless hassle of reminding local counterpart agencies that taking their suspected anthrax to our water quality lab was not the right way to solve their problem, since we had no classified toxic agents or their surrogates against which to make analytical comparisons and also had no lab workers eagerly seeking out the introduction of potentially lethal substances into their workplace on a futile errand.

Event Details

What was this event anyway? Officially, it was the inaugural session of the ASIS Diamond Club Security Buyers Forum, July 17-19, 2013, at Loews Ventana Canyon, Tucson, AZ. As conceived, this was a security industry forum intended to bring a cross-section of practitioners and suppliers together in the business equivalent of speed dating. An invitation-only event for about 50 security professionals and 30 or so vendors, this forum was an experimental alternative to the giant trade show that the security industry usually operates annually. However, this format was on a more human scale than conventions. By contrast, the annual security convention put on by the American Society for Industrial Security (ASIS), draws about 20,000-25,000 attendees and fills any convention center with the world's largest assortment of exhibits showcasing security products and services. Both events include professional education and networking sessions, and the value one derives from either is probably a function of business need, employer priorities, and personal taste.

-- Nick Catrantzos

Rat Fiasco: What's Missing from Fed Insider Threat Program

In a ham-handed implementation that can only be properly described as TSA-esque, the federal scramble to plug leaks now emerges as an exhortation to seize on coworker behaviors to flag them as suspicious and to rat out peers to some unmentioned body of enforcers with the wisdom and wherewithal to do something about real, impending betrayal. That such a scheme should self-destruct is a surprise to no one but its armchair architects. (Details at http://www.foxnews.com/politics/2013/07/10/insider-threat-program-reportedly-orders-feds-to-spy-on-each-other-using-sloppy/) It was doomed from inception. Why?

There are sins of omission and of commission raging through any program like this if it hasn't been thought through. Let us begin with the latter.

Sins of Commission

1. Absent better guidance, such a scheme appeals to the baser instincts of human nature, becoming an instant invitation to settle scores. Is Mary jealous of Irma for having won the last promotion? Then rat her out for too many restroom breaks on the pretext that she must be using them to pass on notes to terrorists. Is Fred unhappy that the boss turned down his requested leave dates because Joe has seniority and asked for them first? Then rat out the both of them for collusive behaviors that must be indicative of running a terror cell. You get the idea. Armchair theorists do not see this fatal flaw because they have never witnessed, from a manager's perspective, the unintended consequences of a flawed implementation of an ethics or anti-harassment program. Run impetuously by amateurs, such programs invariably generate new -- and spurious -- business. The remedy soon becomes worse than the disease, a fear that dates back to Hippocrates' warnings to early physicians.

2. The unthinking reliance on mass distribution of suspicious behavior checklists ends up making every worker the equivalent of the worst TSA automaton: a blind follower of printed instruction who is disincentivized from the all-important infusion of judgment. Why does this happen? Because we live in a society that slavishly follows the LITE mantra, namely Leave It To The Experts. We ask employees to rat others out but don't trust them to think. That is the province of the unmentioned experts, whose expertise is usually assumed or self-conferred.

Sins of Omission

Perhaps the greater fatal flaw arises from what such programs neglect.

1. They respect neither the work force nor the workplace. Insider threats remain statistically rare. (See Managing The Insider Threat: No Dark Corners, http://www.amazon.com/dp/1439872929, for a lengthier and more scholarly treatment of this topic.) The bottom line is that most people, most of the time, are not going around betraying their employers or fellow workers. It is mindless to treat the vast majority of honest employees as ex-cons scheming to violate their conditions of parole. It is equally unfair to the workplace to turn it into a Gestapo-run factory ruled by the lash. All organizations exist for a reason. They have a job that needs doing, and most of these employers cannot turn themselves into full-time witch-hunters without degrading their overall performance.

2. These programs hinge on the assumption that workers are fit only to spot suspicious behaviors as they exist on a checklist but not qualified to evaluate their own information. (See LITE, above.) So the employee who is urged to rat out a coworker is not trusted to do anything more. This situation invariable leaves the reporting employee bereft of feedback, while some self-styled expert runs with the lead or, equally, sits on it. No one can tell what happened outside the select cadre of experts. This situation invites abuse and tends to incentivize expert lassitude, somnolence, and all the other kinds of reaction that attach to bureaucrats who are not, shall we say, all the way committed to excellence. Result? More sitting on data than timely intervention to prevent threats from materializing.

3. Finally, such programs neglect the value of lawful disruption. Face this reality: There are never enough experts or responders to handle every situation. Taking advantage of the initiative of someone on the scene of a catastrophic betrayal is not just the best chance for damage control. It's usually the only chance. It's also precisely the chance these insider programs squander by telling employees, "Leave it to the experts." When insider threat programs stop short of saying this directly, they say it tacitly. They neglect to point out the nearly infinite options that exist for lawful disruption, that is, the short circuiting of pernicious activity through legally permissible actions (p. 135 of Managing the Insider Threat and also the beginning of a chapter on lawful disruption of the insider threat, as inspired by a Canadian senator leading an anti-terrorism committee who noted the value of this tactic).

In the final analysis, this rat-out-your-peers approach to countering insider threats as described above epitomizes a potentially useful idea that was botched in its implementation. It proves once again that there is no smart way to be stupid.

-- Nick Catrantzos