--- Begin Message ---
Names involved include a lot of Enron and HUD missing money in one place.
============================================================================
=================
http://www.ksg.harvard.edu/visions/Publications/terrorism.htm
Catastrophic Terrorism:
Elements of a National Policy
By
Ashton B. Carter, John M. Deutch
and Philip D. Zelikow
A Report of
Visions of Governance for the Twenty-First Century
A Project of the John F. Kennedy School of Government
Harvard University
�1998 by the Board of Trustees of Leland Stanford Junior University and the
Board of Trustees of Harvard University
This report was made possible in part by the Carnegie Corporation of New
York, the John D. and Catherine T. MacArthur Foundation, and the Herbert S.
Winokur Public Policy Fund at Harvard University. The statements made and
views expressed are solely the responsibility of the authors.
----------------------------------------------------------------------------
----
Contents
Foreword: Preventive Defense
Acknowledgments
Catastrophic Terrorism: Elements of a National Policy
Imagining the Transforming Event
Organizing for Success
Intelligence and Warning
Prevention and Deterrence
Crisis and Consequence Management
Acquisition
Conclusion
Notes
About the Authors
About Visions of Governance for the Twenty-First Century
About the Stanford-Harvard Preventive Defense Project
Foreword: Preventive Defense
Through more than four decades of Cold War, American national security
strategy was difficult to implement but easy to understand. America was set
on a clear course to contain Soviet expansionism anywhere in the world, all
the while building a formidable arsenal of nuclear weapons to deter the
Soviet Union from using military force against it or its allies. Now, with
the end of the Cold War, the underlying rationale for that strategy�the
threat from the Soviet Union�has disappeared. What strategy should replace
it? Much depends on finding the correct answer to this question.
The world survived three global wars this century. The first two resulted in
tens of millions of deaths, but the third�the Cold War�would have been even
more horrible than the others had deterrence failed. These three wars trace
a path that leads to the strategy needed for the post-Cold War era.
At the end of the First World War, the victorious European allies sought
revenge and reparations; what they got was a massive depression and another
world war. The United States sought "normalcy" and isolation; what it got
was total war and leadership in winning it. Because it failed to prevent and
then to deter Germany�s aggression, America was forced to mobilize a second
time to defeat it.
At the end of the Second World War, America initially chose a strategy based
on prevention. Vowing not to repeat the mistakes made after World War I, the
Truman administration created the Marshall Plan, which sought to assist the
devastated nations of Europe, friends and foes alike, to rebuild. The
Marshall Plan and other examples of the preventive defense strategy, aimed
at preventing the conditions that would lead to a future world war, were an
outstanding success in Western Europe and in Japan.
But the Soviet Union turned down the Marshall Plan and, instead, persisted
in a program of expansion, trying to take advantage of the weakened
condition of most of the countries of Europe. The resulting security problem
was clearly articulated by George Kennan, who forecast that the wartime
cooperation with the Soviet Union would be replaced with a struggle for the
heart of Europe and that the United States should prepare for a protracted
period of confrontation. Kennan�s analysis was accepted by the Truman
administration, which then formulated a strategy that would get us through
the Cold War: deterring another global war while containing the Soviet Union
�s demonstrated expansionist ambitions. Deterrence supplanted prevention:
there was no other choice.
Even deterrence was a departure from earlier American military strategy. The
United States had twice previously risen to defeat aggression, but it had
not maintained the peacetime military establishment or the engagement in the
world to deter World Wars I or II. Marshall and other defense leaders around
Truman created the peacetime posture and new security institutions required.
In time, as George Kennan had forecast, the Soviet Union disintegrated
because of the limitations of its political and economic systems. Deterrence
worked.
The result is a world today seemingly without a major threat to the United
States, and the U.S. is now enjoying a period of peace and influence as
never before. But while this situation is to be savored by the public,
foreign policy and defense leaders should not be complacent. This period of
an absence of threat challenges these leaders to find the vision and
foresight to act strategically, even when events and imminent threats do not
compel them to do so.
To understand the dangers and opportunities that will define our nation�s
strategy in the new era, we must see the post-Cold War world the way George
Marshall looked upon Europe after World War II, and return to prevention. In
essence, we now have another chance to realize Marshall�s vision: a world
not of threats to be deterred, but a world united in peace, freedom, and
prosperity. To realize this vision, we should return to Marshall�s strategy
of preventive defense.
Preventive Defense is a concept of defense strategy for the United States in
the post-Cold War Era. It stresses the need to anticipate security dangers
which, if mismanaged, have the potential to re-create Cold War-scale threats
to U.S. interests and survival. The foci of Preventive Defense are:
proliferation of weapons of mass destruction, catastrophic terrorism, "loose
nukes" and other military technology from the former Soviet Union, Russia�s
post-Cold War security identity, and the peaceful rise of China.
Preventive Defense is the most important mission of national security
leaders and of the defense establishment. They must dedicate themselves to
Preventive Defense while they deter lesser but existing threats�in Iraq and
North Korea�and conduct peacekeeping and humanitarian missions�in Bosnia,
Haiti, Rwanda, and so on�where aggression occurs but where American vital
interests are not directly threatened.
This report is the sixth in a series of Preventive Defense Project reports
on key applications of Preventive Defense. We are grateful to our colleagues
in the Catastrophic Terrorism Study Group and the Visions of Governance for
the Twenty-First Century for their collaboration
Acknowledgments
This report is a product of the Catastrophic Terrorism Study Group, a
nine-month long collaboration of faculty from Harvard University, the
Massachusetts Institute of Technology, Stanford University, and the
University of Virginia. The Group involves experts on national security,
terrorism, intelligence, law enforcement, constitutional law, technologies
of Catastrophic Terrorism and defenses against them, and government
organization and management. The Group is co-chaired by Ashton B. Carter and
John M. Deutch, and the project director is Philip D. Zelikow. Organized by
the Stanford-Harvard Preventive Defense Project, the work of the Study Group
is part of the Kennedy School of Government�s "Visions of Governance for the
Twenty-First Century" project, directed by Dean Joseph S. Nye, Jr. and
Elaine Kamarck.
While the danger of Catastrophic Terrorism is new and grave, there is much
that the United States can do to prevent it and to mitigate its consequences
if it occurs. The objective of the Catastrophic Terrorism Study Group is to
suggest program and policy changes that can be taken by the United States
government in the near term, including the reallocation of agency
responsibilities, to prepare the nation better for the emerging threat of
Catastrophic Terrorism.
An article based on this report will be published in the journal Foreign
Affairs in the November/December 1998 issue.
The authors would like to thank the members of the Catastrophic Terrorism
Study Group:
Graham T. Allison, Jr.
Zoe Baird
Vic DeMarines
Robert Gates
Jamie Gorelick
Robert Hermann
Philip Heyman
Fred Ikle
Elaine Kamarck
Ernest May
Matthew Meselson
Joseph S. Nye, Jr.
William J. Perry
Larry Potts
Fred Schauer
J. Terry Scott
Jack Sheehan
Malcom Sparrow
Herbert Winokur
Robert Zoellick
Though practically all of these group members are sympathetic to the
conclusions in this report, and some enthusiastically endorse them, none is
responsible either for particular opinions expressed here or for the way we
have written this report and expressed those judgments.
We would also like to thank the staff who was responsible for organizing the
Study Group in addition to assisting in the preparation of this report:
Gretchen Bartlett, Lainie Dillon, Hilary Driscoll, Sarah Peterson, and
Kristin Schneeman.
Finally, the Study Group is grateful for the support of the Carnegie
Corporation of New York, the John D. and Catherine T. MacArthur Foundation,
and the Herbert S. Winokur Public Policy Fund at Harvard University.
CATASTROPHIC TERRORISM: ELEMENTS OF A NATIONAL POLICY
Imagining the Transforming Event
We find terrorism when individuals or groups, rather than governments, seek
to attain their objectives by means of the terror induced by violent attacks
upon civilians. When governments openly attack others, we call it war, to be
judged or dealt with according to the laws of war. When governments act in
concert with private individuals or groups, the United States government may
call it war, or state-sponsored terrorism, and retaliate against both the
individuals and the governments. Whatever the label, terrorism is not a new
phenomenon in national or international life, although terrorists may be
animated by a greater variety of motives than ever before, from
international cults like Aum Shinrikyo to the individual nihilism of the
Unabomber.
What is certainly new is that terrorists may today gain access to weapons of
mass destruction (WMD). These can come in a variety of forms: nuclear
explosive devices, germ dispensers, poison gas weapons, or even the novel
destructive power of computers turned against the societies that rely on
them. What is also new is an unprecedented level of national and global
interdependence on an invisible infrastructure of energy and information
distribution.
Americans were shocked by the tragic results of the August 1998 terrorist
attacks against their embassies in Kenya and Tanzania. By comparison with
the threat of catastrophic terrorism, we believe that the threat of ordinary
terrorism of the kind we have known over the last generation is being taken
seriously. The United States government�s commitment to address that danger
is fundamentally sound. We are not as confident that the United States
government is suitably prepared to address the new threat of catastrophic
terrorism that utilizes weapons of mass destruction or intensive
cyber-assault.
Long part of Hollywood�s and Tom Clancy�s repertory of nightmarish
scenarios, catastrophic terrorism is a real possibility. In theory, the
enemies of the United States have motive, means, and opportunity. The U.S.
government has publicly announced that terrorist groups are attempting to
manufacture chemical weapons and destroyed one such facility operating in
the Sudan. As India and Pakistan build up their nuclear arsenals and Russia,
storehouse for tens of thousands of weapons and the material to make tens of
thousands more, descends toward a future none can foresee, it is not hard to
imagine the possibilities. The combination of available technology and
lethality has made biological weapons at least as deadly a danger as the
better known chemical and nuclear threats. The bombings in East Africa
killed hundreds. A successful attack with weapons of mass destruction could
certainly kill thousands, or tens of thousands. If the device that exploded
in 1993 under the World Trade Center had been nuclear, or the distribution
of a deadly pathogen, the chaos and devastation would have gone far beyond
our meager ability to describe it.1
Experts combining experience in every quadrant of the national security and
law enforcement community all consider this catastrophic threat perfectly
plausible today. Technology is more accessible, society is more vulnerable,
and much more elaborate international networks have developed among
organized criminals, drug traffickers, arms dealers, and money launderers:
the necessary infrastructure for catastrophic terrorism. Practically
unchallengeable American military superiority on the conventional
battlefield pushes this country�s enemies toward the unconventional
alternatives.2
Readers should imagine the possibilities for themselves, because the most
serious constraint on current policy is lack of imagination. An act of
catastrophic terrorism that killed thousands or tens of thousands of people
and/or disrupted the necessities of life for hundreds of thousands, or even
millions, would be a watershed event in America�s history. It could involve
loss of life and property unprecedented for peacetime and undermine
Americans� fundamental sense of security within their own borders in a
manner akin to the 1949 Soviet atomic bomb test, or perhaps even worse.
Constitutional liberties would be challenged as the United States sought to
protect itself from further attacks by pressing against allowable limits in
surveillance of citizens, detention of suspects, and the use of deadly
force. More violence would follow, either as other terrorists seek to
imitate this great "success" or as the United States strikes out at those
considered responsible. Like Pearl Harbor, such an event would divide our
past and future into a "before" and "after." The effort and resources we
devote to averting or containing this threat now, in the "before" period,
will seem woeful, even pathetic, when compared to what will happen "after."
Our leaders will be judged negligent for not addressing catastrophic
terrorism more urgently.
Using imagination, we hope now to find some of the political will that we
know would be there later, "after," because this nation prefers prevention
to funereal reconstruction. When this threat becomes clear the President
must be in a position to activate extraordinary capabilities. The danger of
the use of a weapon of mass destruction against the United States or one of
its allies is greater at this moment than it was during the Cold War, or at
least since 1962. The threat of catastrophic terrorism is therefore a
priority national security problem, as well as a major law enforcement
concern. The threat thus deserves the kind of attention we now devote to
threats of military nuclear attack or of regional aggression, as in the
Defense Department�s major regional contingencies that drive our force
planning and the resources we devote to defense.
The first enemy of imagination is resignation. Some who contemplate this
threat find the prospects so dreadful and various that they despair of doing
anything useful and switch off their troubling imagination. They are
fatalistic, like someone contemplating the possibility of a solar supernova,
and turn their eyes away from the threat. Some thinkers reacted the same way
at the dawn of the nuclear age, expecting doom to strike at any hour and
disavowing any further interest in the details of deterrence as a hopeless
venture. But as in the case of nuclear deterrence, the good news is that
more can be done.
We formed a Catastrophic Terrorism Study Group to move beyond a realization
of the threat to consider just what can be done about it. This group began
meeting in November 1997. We examined other studies that consider this
problem. We received information and advice from some current government
officials as well as from those who had considered the problem from the
perspectives of governments in Great Britain, Israel, Germany, and Russia.
We now advance practical proposals for consideration and debate. We avoid a
grand solution, preferring to shape "bricks" that strengthen existing
structures, consider the very different technical challenges presented by
nuclear, biological, chemical, and cyber threats, and provide a foundation
for future adaptation and future building.
Organizing for Success
The threat of catastrophic terrorism typifies the new sort of security
problem the United States must confront in the post Cold War world. It is
transnational, defying ready classification as foreign or domestic, either
in origin, participants, or materials. As the World Trade Center incident
demonstrated, one group can combine U.S. citizens with resident aliens and
foreign nationals, operating in and out of American territory over long
periods of time.
The greatest danger may arise if the threat falls into one of the crevasses
in our government�s field of overlapping jurisdictions, such as the divide
between terrorism that is "foreign" or "domestic;" or terrorism that has
"state" or "non-state" sponsors; or terrorism that is classified as a
problem for "law enforcement" or one of "national security." The law
enforcement/national security divide is especially significant, carved
deeply into the topography of American government.
The national security paradigm fosters aggressive, proactive intelligence
gathering, presuming the threat before it arises, planning preventive action
against suspected targets, and taking anticipatory action. The law
enforcement paradigm fosters reactions to information voluntarily provided,
post-facto arrests, trials governed by rules of evidence, and general
protection for the rights of citizens.
We start with a concept for an overall end-to-end strategy. This has at
least four elements: (1) intelligence and warning; (2) prevention and
deterrence; (3) crisis and consequence management; and (4) a process for
coordinated acquisition of needed materials, equipment, and technology.
Throughout, there must be clear guidance about what our institutions should
be able to do and definition of the roles and missions of involved agencies
at all levels of government.
In an address at the U.S. Naval Academy, President Clinton announced on May
22, 1998, that we must approach the new terrorist challenges of the 21st
century "with the same rigor and determination we applied to the toughest
security challenges of this century." To that end he signed Presidential
Decision Directive (PDD) 62 and appointed a National Coordinator for
Security, Infrastructure Protection, and Counterterrorism to "bring the full
force of all our resources to bear swiftly and effectively." The National
Coordinator and PDD-62, like the predecessor PDD-39, look to "lead agencies"
on one or another issue to "identify a program plan with goals and specific
milestones." The National Coordinator will produce an annual "Security
Preparedness Report," offer budget advice, and lead in the development of
guidelines for crisis management.3
We welcome the presidential determination to address the danger of
catastrophic terrorism and see no harm in the designation of a responsible
White House aide. But we suggest a different emphasis when it comes to
solving the difficult problems of shared powers and overlapping authorities.
We place no faith in czars. An unidentified, incautious administration
official explained to reporters that "when money was going to the war on
drugs, we created a drug czar. Now money is going to counterterrorism, and
so we�ll have a czar for that, except this one will have real power."4 A
national coordinator may be necessary, but is certainly not sufficient. For
better or worse, however, "real power" resides in the executive departments
and companies that actually have people, equipment, money, and the capacity
to do things. This report thus focuses on building such capabilities, rather
than dwelling on coordination at the apex.
"In form," Richard Neustadt explained long ago, "all Presidents are leaders
nowadays. In fact this guarantees no more than that they will be clerks.
Everybody now expects the man inside the White House to do something about
everything. ... But such acceptance ... merely signifies that other men have
found it practically impossible to do their jobs without assurance of
initiatives from him. ... They find his actions useful in their business.
... A President, these days, is an invaluable clerk. His services are in
demand all over Washington. His influence, however, is a very different
matter."5
Well before the idea of a terrorism czar had been conceived, James Q. Wilson
had noticed that "whenever a political crisis draws attention to the fact
that authority in our government is widely shared, the cry is heard for a
�czar� to �knock heads together� and �lead� the assault on AIDS, drug abuse,
pollution, or defense procurement abuses. Our form of government, to say
nothing of our political culture, does not lend itself to czars...."6
Also, most of the expensive functional capabilities that must be brought
together to cope with the danger of catastrophic terrorism are capabilities
that are needed for other purposes, too, from reconnaissance satellites to
National Guardsmen. Unifying these capabilities exclusively for one
challenge will not work in practice. The people making decisions about using
these capabilities against terrorists should be the same people who must
consider the other missions and who can weigh and reconcile competing
demands.
Experience from World War II (such as that of the British Chiefs of Staff
Committee or the U.S. Office of War Mobilization) through the Cold War to
the present, including the current system of security policymaking the
British have devised (after long trial and error) for Northern Ireland,
instead counsels us toward a different approach.7 One or another executive
agency may be in the lead, but the key is to give responsibility (and
accountability) to the people who are in charge of the relevant people and
machines; create unglamorous but effective systems for shared
decision-making that combine civil, military, and intelligence judgments up
and down the chain of command; fashion entities that integrate planning and
operational activity at the working level; and focus on the tasks of
building up the institutional capacities to do new things. There must be
exercises of the entire system to highlight defensive needs, before an
incident happens. We turn now to the first crucial task: intelligence and
warning.
Intelligence and Warning
Since 1945 the United States has given intense attention to any potentially
hostile entity that might deliver weapons of mass destruction against its
territory or its allies. The intelligence objectives were straightforward:
orientation toward governments and monitoring of weapons development,
testing, and deployment. The intelligence task for catastrophic terrorism is
complicated by non-state actors, concealed weapons development, and
unconventional deployments. In cyber attacks, the delivery of weapons can be
entirely electronic.
So the intelligence job is much harder. It is not impossible. The would-be
terrorists have problems, too. If states are involved, the organizations
tend either to be large and leaky, or small and feckless. If no state is
involved, the group may be small, feckless, and pathological, too. These
realities form the opportunities for intelligence successes. Even the most
formidable Irish terrorist groups took years of experience to acquire their
level of professionalism and, for all their skills and training, suffered
frequent setbacks in their underground war against British intelligence.
Perhaps the most serious recent attempt to carry out an act of catastrophic
terrorism was an expertly planned effort to destroy, with a series of
simultaneous bomb explosions, the entire electrical power supply for
metropolitan London. The attempt was thwarted and British security forces
arrested the terrorists.
The U.S. government should seek to have the legal authorities and the
capability to monitor�physically and electronically�any group and their
potential state sponsors that might justifiably be considered to have a
motive and capability to use weapons of mass destruction. The U.S.
government should be able to do all that can reasonably be done to detect
any use or deployment of such weapons anywhere in the world, by utilizing
remote sensing technology and by strengthening and evaluating worldwide
sources of information. These would include clandestine collection, open
sources such as foreign newspapers and journals or the Internet, and would
include better-organized exchanges with key allies and other like-minded
states.
Nearly a year before its attack on the Tokyo subway system, the Aum
Shinrikyo group had already used the nerve gas, Sarin, in attacks on
civilians. Although known to the Japanese news media, the U.S. government
did not know. Not only did Washington not know what Japanese law enforcement
agencies knew, it is likely that centralized Japanese law enforcement
agencies did not know what other local organizations in Japan knew about
this prior and well documented use of chemical weapons.
Today the U.S. intelligence community lacks a place to perform "all-source"
planning for collecting information, where the possible yields from efforts
in overhead reconnaissance, electronic surveillance, clandestine agents, law
enforcement databases and informants, and reports from foreign governments,
can be sifted and organized for maximum complementary effect. The national
security agencies can be proactive. Domestic law enforcement officials
understandably are not proactive about intelligence collection but focus
their efforts from informants or other collection to investigate suspected
criminal actions with the objective of criminal prosecution. Civil liberties
properly discourage them from going out and looking for criminals before
they have evidence of crime.
On the other hand, domestic law enforcement has many techniques for
gathering data, including lawful wiretaps and grand jury investigations.
Much of the yield from these efforts is, in turn, closed off to the national
security community by law or regulation, to safeguard constitutional
rights.8
We believe the U.S. needs a new institution to gather intelligence on
terrorism, with particular attention to the threat of catastrophic
terrorism. We call this new institution a National Terrorism Intelligence
Center. This Center would be responsible for collection management,
analysis, dissemination of information, and warning of suspected
catastrophic terrorist acts. The Center would need the statutory authority
to:
� monitor and provide warning of terrorist threats to relevant agencies of
the U.S. government, supporting defense or intelligence operations, as well
as law enforcement;
� set integrated collection requirements for gathering information for all
the intelligence agencies or bureaus of the U.S. government;
� receive and store all lawfully collected, relevant information from any
government agency, including law enforcement wiretaps and grand jury
information;
� analyze all forms of relevant information to produce integrated reports
that could be disseminated to any agency that needed them, while restricting
dissemination of underlying domestic wiretap and grand jury information;
� review planned collection and intelligence programs of all agencies
directed toward terrorist targets to determine the adequacy and balance
among these efforts in preparation of the President�s proposed budget;
� facilitate international cooperation in counterterrorism intelligence,
including the bilateral efforts of individual agencies;
� not manage operational activities or take on the task of general
intelligence about the proliferation of weapons of mass destruction (now
coordinated in the Director of Central Intelligence Nonproliferation
Center);
� be exempt from motions for pretrial discovery in the trials of indicted
criminals.9
Since this Center would have constant access to considerable domestic law
enforcement information, we believe it should not be located at the Central
Intelligence Agency. The highly successful Director of Central Intelligence
Counterterrorism Center established in the mid-1980s has a narrower mandate
than the National Center that we propose and it would be incorporated into
the new National Center. Instead we recommend the National Center be located
in the FBI. However, the Center, in our conception, would be responsible to
an operating committee, chaired by the Director of Central Intelligence and
including the Director of the FBI, the Deputy Secretary of Defense, the
Deputy Attorney General, the Deputy Secretary of State, and the Deputy
National Security Adviser. The budget would be included within the National
Foreign Intelligence Program, which already provides support for the FBI�s
National Security Division. Unresolved disputes would go to the National
Security Council. The director of the Center would come alternately from FBI
and CIA. The major intelligence organizations would all be required to
provide a specified number of professionals to the Center, and this number
would be exempt from agency personnel ceilings.
The concept of this Center attempts to combine the proactive intelligence
gathering approach of the national security agencies, which are not legally
constrained in deciding when they may investigate a possible crime, with the
investigative resources of law enforcement agencies. We must have an entity
that can utilize our formidable but disparate national security and law
enforcement resources to analyze transnational problems. This combination
should be permitted, consistent with public trust, only in a National Center
that has no powers of arrest and prosecution and that establishes a certain
distance from the traditional defense and intelligence agencies. The Center
would also be subject to oversight from existing institutions, like the
federal judiciary, the President�s Foreign Intelligence Advisory Board and
the select intelligence committees of the Congress.
There are precedents for creating novel interagency operating institutions
that work�the National Reconnaissance Office and the reformed
Counterintelligence Center offer relevant illustrations. We are not anxious
to create new government institutions. But the problems in information
sharing about terrorism are not just products of petty bureaucratic
jealousy. They stem from a real question: how do we reconcile the practices
of foreign intelligence work with the restrictions that properly limit
domestic law enforcement? We believe our proposal offers a possible answer.
Prevention and Deterrence
There are several measures that we believe will contribute to prevention and
deterrence of catastrophic terrorism. We suggest three measures here�an
international legal initiative to make any development or possession of
weapons of mass destruction a universal crime, a National Information
Assurance Institute, and stronger federal support to strategic risk analysis
of the catastrophic terrorism problem.
Outlawing Terror Weapons
Prevention is intertwined with the concept of deterrence. The U.S. has
finally developed a sound, firm, and increasingly credible declaratory
policy that criminalizes terrorist activity and supports sanctions, or even
the use of force, to thwart an attack or respond. We also believe that the
United States must work with other countries to extend the prohibitions
against development or possession of weapons of mass destruction. Matthew
Meselson and others have recently proposed a convention that would make any
individual intentionally involved in biological weapons work liable as an
international criminal, prosecutable anywhere, as is the case for pirates or
airplane hijackers.10 Defensive work against biological warfare agents would
of course be permitted.
There are already international treaties in which governments promise to
restrain their weapons developments�the nuclear Non-Proliferation Treaty,
the Biological Weapons Convention, and the Chemical Weapons Convention are
the most notable examples. Governments breaking such a treaty violate
international law. We are pressing a different idea. Prohibited weapon
development would become a universal crime, opening the way to prosecution
and extradition of individual offenders wherever they may be found, around
the world. This idea utilizes the power of national criminal law against
people, not the power of international law against governments. It builds on
analogous developments in the law of piracy, treaties declaring the
criminality of airplane hijacking, crimes of maritime navigation, theft of
nuclear materials, and crimes against diplomats.
We are concerned about the actions of governments, too. Over time, we hope
the burden of proof in demonstrating compliance with international
conventions must also shift away from those alleging noncompliance to those
states or groups whose compliance is in doubt. International norms should
adapt so that such states are obliged to reassure those who are worried and
to take reasonable measures to prove they are not secretly developing
weapons of mass destruction. Failure to supply such proof, or prosecute the
criminals living in their borders, should entitle worried nations to take
all necessary actions for their self-defense.
National Information Assurance Institute
Cyber-terrorism is a special problem, where private sector cooperation is
vital, but elusive. The President�s Commission on Critical Infrastructure
Protection (often called the Marsh Commission) stressed that industry was
reluctant to deal with these problems on its own because the solutions cost
money, the risk is unclear, and they fear heavy-handed government action. On
the other hand, although the FBI has created a National Infrastructure
Protection Center, which can help identify sites that need help, we do not
think FBI, with all its operational duties, is the place to build a bridge
with the private sector or harness the significant resources and expertise
found on the cyber problem within the Department of Defense. So we propose a
National Information Assurance Institute, based within the private,
nonprofit sector, that could serve as a kind of industry laboratory with a
central focus on cyber protection. Placed in the private sector, the
institute would not itself own the infrastructure or be part of the
government, but it could deal with both sides. It implements the Marsh
Commission�s recommendation, seeking a way for industry to organize itself
better to deal with this problem as part of a public-private partnership.
For industry, this institute could become:
� a clearinghouse for sharing information assurance techniques and
technology;
� a developer of common techniques and technology for information assurance;
� a trusted repository of proprietary information that poses no competitive
threat;
� a single point of contact with the law enforcement, national security, and
other agencies of the federal government;
� a resource for training and familiarization of industry personnel with
technical best practice and government concerns, policies, and regulations.
For government, this institute could become:
� a channel for sharing sensitive intelligence about threats to information
infrastructure;
� a center of technical excellence for developing and improving technology
and techniques for protecting critical infrastructure;
� a unified government-industry forum for coordinating federal policy,
regulation, and other actions affecting infrastructure providers.
We envision that the institute would be established as a not-for-profit
research organization by a group of concerned private companies,
universities, and existing not-for-profit laboratories. The institute would
be governed by a board of directors drawn from the private sector and
academia.
The institute staff could be supplemented by detailees drawn from both
industry and government. Industry affiliates would not only include the
manufacturers and maintainers of information systems, but also service
vendors, their trade associations, and the major companies and trade
associations from the power, telecommunications, banking, transportation,
oil and gas, water and sewer, and emergency service sectors (including
multinational companies, with appropriate protection for circulation of
U.S.-only classified information).
This new institute could perform information assurance assessments for
industry on a confidential basis. Industry representatives would be educated
and trained on technical best practice, threats, and government policies.
The institute would receive contracts from government. The institute could
sponsor and conduct research on security assessment tools, intrusion
detection, recovery, and restoration. As it identifies and develops industry
standard best practices, and evaluates the vulnerability of commercial
products, we prefer to rely where possible on informal private sector
enforcement of these ideas in the marketplace (through insurance rating, for
example), rather than formal government regulation. The institute could also
perform incident evaluations, create a monitoring center for information
assurance, provide on-call assistance, and help industry develop contingency
plans for failure.
Risk Analysis
Other than more general policies to keep America�s enemies to a minimum and
to prevent anyone from acquiring weapons of mass destruction who does not
already possess them, efforts to prevent catastrophic terrorism turn on the
interdiction of people and materials and on deterring attacks. A serious
U.S. government effort would include development of the capacity to use
remote sensing technology to detect, at least from close range, any
distinctive and measurable physical properties of nuclear, biological, and
chemical weapons or their less commonplace precursor materials and the
distribution of this technology in a form that can be used in the field.
Aided by international agreements among supplier nations, materials that can
be used in weapons of mass destruction would be marked or tagged wherever
possible, to enhance detection or post facto identification.
Moreover, the United States should seek to ascertain the identity of every
person and the contents of all freight entering its territory or its
installations overseas. Though we know this goal obviously cannot be
attained in the immediate future, it is a legitimate objective for the
long-term. Even imperfect measures can still create the perception, among
would-be terrorists, that they or their precious weapon material might run a
significant risk of being intercepted. But systematic interdiction efforts
require shrewder analysis of where more resources can make a difference.
The allocation of inspection and protective instruments by the government
should be guided by risk analysis. This form of analysis is well known to
engineers who may analyze a dangerous system to find the key sequences of
errors that can lead not just to failure, but to catastrophic failure. Those
are the sequences that then command disproportionate engineering attention
(to add redundant switches, for example). Not all worries merit equal
concern. Engineers refer to a "balanced" design as one where all the
components have been designed to be as good as the whole system needs,
neither better nor worse.
The role of risk analysis, or strategic analysis for risk control, is to
analyze threats and define risks in a natural way (avoiding the temptation
to define them in terms of existing agency boundaries or capabilities), to
commission further data gathering and analysis to assess relative
significance, and then to subdivide acute risks into actionable components
where resources can make a difference.11 A systemic approach is needed that
encompasses broad area surveillance; specific threat identification;
targeted surveillance and warning; prevention, protection, deterrence,
interdiction and covert action; consequence management; forensic analysis of
a site to determine responsibility, punitive action, and learning lessons.
Analysis, for instance, shows that international border crossings are an
important bottleneck in the worldwide movement of criminals. The United
States, rather than just looking after the verifiability of its own
passports, should organize resources focused on such bottlenecks throughout
the world. We can imagine, for instance, a system created, with American
funding, to insure that every country�s passports are computer readable,
that every passport control officer has such a reader, and that every reader
is linked to a database that can validate the status of the document, or
indicate the need for further inquiries. The database need not invade the
internal files of any government. As is already the case in the private
sector, third entities can be created to perform the clearinghouse role,
using data supplied by participating governments. Naturally, terrorists
could still use documents of non-participating countries, but those would
attract just the suspicion such travelers seek to avoid.
Government agencies can do many things reasonably well, but strategic risk
analysis is not one of them. We recommend establishing a center for
catastrophic terrorism risk analysis, offering a substantial multi-year
contract, executed by the FBI, to a not-for-profit research center to
perform this sort of analysis, devise and evaluate exercises and tests, and
develop concepts of operations for countering catastrophic terrorism. Early
in the nuclear era the RAND Corporation played an important part in helping
the government think about a new set of security concerns. The Department of
Defense has made a start by establishing an advanced concepts office in the
newly formed Defense Threat Reduction Agency. But risk analysis will require
a national, not just a DOD, focus.
Crisis and Consequence Management
Crisis management for catastrophic terrorism should include the capacity to
employ appropriate force and specialized capabilities in any part of the
world, endeavoring to minimize collateral damage, and to thwart a possible
attack using weapons of mass destruction. Crisis management would include
urgent protective efforts, employing every resource at the disposal of
federal, state, and local governments. The U.S. government should also
acquire capacities and plans for forensic investigation of the site of an
attack in order to collect evidence and identify those responsible for
further action.
Consequence management is a capacity to deal with the aftermath of an
attack. The United States, at all levels of government, must develop the
ability to respond effectively within hours, if not minutes, to any use of a
weapon of mass destruction�nuclear, biological, chemical, or cyber�against
American targets with appropriate and specific measures to mitigate
casualties and damage. This is a large order. The needed capabilities
include emergency medical care, distributions of protective gear or
medications (including vaccines for those not yet exposed to the
pathogen12), evacuations, and area quarantines, among other measures. Since
these capabilities would need to be on a large scale, extensive preparations
are needed to ready them in central locations, be able to mobilize them on
sudden notice, be able to transport them where needed, and expect local
authorities and caregivers to be ready to receive and use them. The United
States must also have emergency plans readied, including redundant or
alternative control systems, for sustaining the operation of infrastructure
that provides the necessities of life, if this infrastructure comes under
attack.
The present system for handling terrorist emergencies is based on the FBI
or�if overseas�on initiatives by State Department representatives or local
military commanders. If an acute threat emerges in the United States, local
authorities are expected to alert the local FBI
--- End Message ---
