R. Narasimha opened the session on a systems approach to countering terrorism by stating that he was very glad to see that a meeting concerning counterterrorism was taking place, almost exactly 10 years after the first workshop on the same topic was held in Goa, India, in 2004.
Norman Augustine opened by saying that, unfortunately, the subject that brought this group of experts together is not pleasant, but it is of the utmost importance to both India and the United States. The interactions of the planning committees to prepare for this gathering made clear that the United States and India have a large number of common interests when it comes to countering terrorism, not to mention the fact that these two countries have both suffered greatly at the hands of terrorists. America has a great deal to learn from India’s experience, he said, and he hoped that America’s experience might prove of value to colleagues from India.
In the years just prior to the September 11, 2001 (9/11), attacks on the United States, Augustine served on a commission that was established by the U.S. Congress to investigate U.S. national security in the decades ahead. Arguably, the most significant sentence in the final report of that commission, issued a little less than a year before 9/11, read as follows: “terrorists and other disaffected groups will acquire weapons of mass destruction and mass disruption, and some will use them. Americans will likely die on American soil, possibly in very large numbers.”1
The report proved, unfortunately, only too prescient when the events of 9/11 occurred shortly after the report was issued. One of the major recommendations of the report, which became known as the Hart-Rudman Report after the
1U.S. Commission on National Security/21st Century. New World Coming: American Security in the 21st Century. Washington, D.C.: Government Printing Office, September 15, 1999, p. 138. Available at http://gov.info.library.unt.edu/nssg/NWR_A.pdf; accessed September 15, 2014.
commission’s chairmen, was to bring together the 22 different elements of our federal government that had significant responsibilities for counterterrorism.2 When dealing with systems problems, such as terrorism, a fragmentation of effort is one of the greatest barriers to successfully carrying out the counterterrorism mission. Indeed, as experts in the United States belatedly learned following the events of 9/11, there had been warnings that, had they been able to fit the pieces of the puzzle together, might have helped avoid that tragedy.
The U.S. Department of Homeland Security (DHS) was created as had been recommended, but only after 9/11.3 The scales of terrorism seemed to be tipped very much in the favor of terrorists. Terrorists can decide where they wish to act, when they wish to act, and how they wish to act. This places counterterrorist forces in the untenable position of having to be prepared for everything, everywhere, all of the time; something that is an obvious impossibility.
The terrorists’ range of choices extends all the way from biological attacks to physical attacks, from attacks on the economy to attacks on the food supply, and far more. The implication seems that the defense has to be prepared to take an offensive role as well as a defensive role, something that could be very controversial. This, along with other possible actions, requires balancing risks and intelligently allocating resources. That, of course, is “systems thinking.”
Augustine continued his introductory remarks about systems thinking as it relates to the counterterrorism mission and set the stage for other, more specific examples, and case studies that followed throughout the workshop. He explained that the deterrence strategy of the Cold War is now rather bankrupt when one deals with terrorists. It assumes a rational enemy, and, in particular, an enemy that does not wish to die in carrying out its aims.4
In contrast, many terrorists are willing or even desire to die when carrying out their activities on behalf of their cause. We have seen this both in the Mumbai attacks and on 9/11. Augustine argued that in the intervening years since the Cold War ended, two major changes, both brought about by technology, have profoundly affected the role and consequences of terrorism. The first of those changes was what we have come to call globalization. The second is the amplification of destructive power available to individuals.
With respect to the former, modern jet aircraft have made it possible to move things, including people, around the world at very nearly the speed of sound. Modern information systems have made it possible to move ideas, knowledge, and data around the world literally at the speed of light. Frances Cairncross referred to this phenomenon as the “Death of Distance.”5 Indeed, distance has died. What
2U.S. Commission on National Security. New World Coming.
3U.S. Commission on National Security. New World Coming.
4Some experts caution that not all those who study terrorists agree that Cold War deterrence should be applied to the terrorist challenge.
5Cairncross, F. The Death of Distance: How the Communications Revolution Is Changing Our Lives. Boston: Harvard Business School Press, 1997.
happens in Bangalore now matters in Boston. What happens in New York now matters in New Delhi.
Then turning to the magnified power of the individual, Augustine stated that for the first time in the history of the world, individuals or very small groups acting alone can profoundly impact the lives of very large groups of people. That is a big change. This has been the consequence of nuclear weapons, biological weapons, and to a lesser degree, radiological and chemical weapons, and other kinds of attacks. These developments have been exacerbated by the growing interconnectivity and interdependence across nations and within nations of supporting assets as well as the concentration of people in small physical areas.
Terrorists who seek to exert the use of some weapons cannot maintain control over the people that they attack, but they can fairly well deny effective control over their population. Certainly, it makes no sense for terrorists to engage in conventional warfare with powerful nations like India or the United States. That is why, of course, they become terrorists. The impact of such individuals and groups can often produce a psychologically disproportionate effect on the populous.
This is where the amplification factor takes place. An example with which Augustine is intimately familiar and concerns two young men, not very bright young men, who had one weapon, namely a rifle. A few years ago, they terrorized Washington, D.C., for more than a week. They created traffic congestion throughout the metropolitan area. They succeeded in killing 10 innocent people, but that was during a time period when 10 people died in our same area due to automobile accidents that went largely unnoticed, other than by their families and friends. There is an amplification factor that makes smaller acts have a powerful impact.
So what is to be done? Augustine argued that to begin, terrorism does have to be viewed as a systems problem. By that, he meant that the challenge of terrorism has to be addressed in its whole, not individually by addressing only parts of the problem. This permits one to optimize the use of one’s resources and to look for weak links in the chain that often can reveal very highly leveraged actions that the counterterrorist forces could take.
Consider the possibility of using commercial aircraft as a weapon, as happened on 9/11. That was something that had certainly been addressed well before 9/11 by security organizations, and, unfortunately, by terrorists as well. Examining this possibility as a systems problem requires an examination of all of the elements involved. One might have concluded that the best option one could take would be to reinforce the cockpit doors on commercial aircraft. This is not a high-tech solution and not a very expensive solution, but had that been done we probably could have prevented the 9/11 attacks from occurring, at least the way in which they occurred.
The challenge, of course, is that systems problems tend to be exceedingly complex, terrorism being one of the ultimate examples. Consider, for example, the simplest of all possible systems, a system that has two elements that can impact each other in a binary fashion, either on or off. If one has two elements,
obviously there are four possible states for that system. One could have each element impacting the other, neither impacting the other, or the first impacting the second, or the second impacting the first. There are four possible states for the system with just two elements.
If one advances to a system with three elements, one discovers that there are suddenly 64 possible states. Professor Frederic Whitehurst of the Max Planck Institute derived the equation that describes a number of possible states for a complex system. He appropriately called his equation the “monster.” Indeed, it is a monster. If there are just seven elements in a system of the type described, the number of possible states exceeds the number of stars in our galaxy. The conclusion is evident. One cannot plan for or even consider every possible situation in a complex system. That underscores the importance in systems thinking and systems engineering of risk management, and of trade-offs. One cannot do everything. Systems thinking could help reveal how best to allocate limited resources.
To answer questions like these, one first must learn to think like a terrorist, something that is not easily done. Second, one has to understand one’s own value system and the terrorists’ view of that value system. When dealing with threats that are both likely and highly consequential, one is generally best served by a defense-in-depth approach because no single layer of defense is likely to provide a sufficiently high degree of protection.
Fortunately, the challenge of a complex system applies to the terrorist as well, which is why one can maintain hope for the defense. A simple example would be to have a magnetometer in one area of an airport and have a chemical sniffer in another area and another area would have dogs. Then these areas should change from time to time so that an attacker could not be aware in advance of what sort of sensing would be in use at any given time.
Furthermore, a strategy of this type requires the attacker to be better coordinated. Even if the individual elements are not terribly effective, they may force the attacker into a situation where he or she is vulnerable to other means of detection because of the need for more coordination and communication. Augustine cited an example of a non-high-tech case that occurred during the Vietnam War when a U.S. artillery base was continually under attack in the middle of the night by Vietcong. The commander did a systems analysis of the attacks.
It occurred to him and to his colleagues that the enemy had very poor tactical communications. They had to plan the attacks in advance, rehearse them, and coordinated them well. It occurred to him if he could get inside of their communications cycle, he could change the entire situation. First, they put all of the guard towers in the defensive positions on skids. Every evening just before dark they would take bulldozers out and move them all around and change the puzzle, and they were never attacked again at that particular base. It is a very non-high-tech example, but a very effective one, resulting from systems thinking.
Augustine returned to the subject of defense in depth and not being confined to a purely defensive posture. It is important to understand the enemies’
motives, and their limitations. The latter is a very great challenge in democracies and free societies. It is very likely that this will become a greater and greater issue as technology advances further. The question is how does a government protect its citizenry against terrorist attacks, and at the same time not invade the privacy that those citizens expect living in a democracy.
Given the understanding of values that one assigns to one’s own assets, both physical and societal, and an understanding of the enemy and the enemy’s modus operandi, a systems approach would call for disrupting potential attackers’ plans through both active or passive means before they could take any action, as well as taking actions to minimize the impact of an attack, should it occur. Having done a defense-in-depth analysis, what remains is to enhance the defenses of important targets, to counter whatever attack actually occurs, and finally to recover from the attack. An important aspect that is rarely discussed is being able to provide forensics analysis that can point to the origin of the attack.
It is noteworthy that an informed citizenry could do a great deal to help protect itself. However, Augustine’s own admittedly nonscientific surveys in the United States reveal that most citizens, even generally well-informed citizens, are not aware of what they can do to help protect themselves. For example, if one goes out on the street and asks people what they should do if there is a chemical attack, go to the attic or the basement, or if one asks, in the case of a nuclear attack, should one go to the basement or to the attic, most people do not know. In the case of a radiological attack in a particular area, should one try to go to the north, to the east, to the south or to the west, depending on the prevailing winds and the given locale? In the case of a biological attack, should one go to the hospital to get a vaccination or should one stay at home? If one stays in the house and seals the doors and windows, how long could one live before becoming asphyxiated? Augustine’s surveys show that very few people know the answer to any of those questions. Yet, were they to know, they would be able to greatly reduce the casualties in the event of major attacks.
Finally, he noted first and foremost, when dealing with both terrorism and counterterrorism, one is dealing with people. In addition to cases where people unintentionally fail to carry out their responsibilities, there are cases where people can intentionally cause harm or fail to carry out their responsibilities. The latter are cases of insider threats. This could be forestalled to some degree through thorough personnel assessments, through random task assignments of personnel, and again through defense-in-depth, including the use of so-called two-key control systems. Understandably, human behavior does play an important role in both the success of terrorists and the success of those seeking to counter terrorism.
Augustine recently had the occasion to investigate, on behalf of the U.S. government, an incident that occurred at the Y-12 nuclear facility in Oak Ridge, Tennessee, during which an 82-year-old nun and two 60-year-old drifters cut through four secure fences and went through three secure zones in the middle of the night at one of the United States’ most highly defended facilities without being detected. Presumably, they were not terrorists. They were protestors. They
reached the outside of the building that was being protected. No one arrived to arrest them.
This was all recorded on night vision television. They took a hammer out of their backpack and proceeded to pound on the walls, hoping to bring a guard to arrest them. The guards heard the pounding and thought the carpenters were working late that night. Ultimately, the intruders were arrested. One has to ask: How could this possibly happen and could this happen anywhere else? There were many factors that contributed to this incident. However, these factors could be summarized in one word: culture.
First, the guards, in many cases, went to work every day knowing that it was highly unlikely that in their entire lifetime they would ever face a real threat. Second, in this case, the electronic warning devices had so many false alarms that the guards generally did not pay much attention to them. Third, realistic training exercises were not possible because if they were sufficiently realistic, people would be killed. Added to this, the guards’ responsibilities at such facilities are immense.
In other words, guard positions require intelligent people. There is nothing more boring than standing in a dark hallway holding a rifle for 10 hours a day. These are very bright people in a very boring job. That is a hyperbolic combination, to borrow a phrase from aerospace. Based on this incident, it was concluded that one has to rotate work assignments, work shorter shifts, certainly demand higher levels of discipline, and conduct every possible form of training that remains safe. One cannot reduce risk to zero, however.
By examining terrorism as a systems problem, it would appear that by prioritizing vulnerabilities, the value of assets, and the choices one has, the impact of terrorists could be substantially reduced. Augustine suspects that taking this systems approach has been one of the factors that contributed to the reduction of terrorism in both the United States and India in recent years. The same can be said for successful acts of terrorism: thinking systematically has produced many deadly acts of terrorism. That is something Augustine never would have predicted on 9/11.
Augustine concluded by saying that he hoped his remarks would be useful. He expressed his expectation that he would learn a great deal from Indian colleagues and from American colleagues. He expressed the desire to contribute wherever he could, because this gathering could make a great difference.
Nehchal Sandhu said that the government of India recognizes the value of all of the propositions Augustine raised. They realize that a systems approach is the only way to deal with this very complex problem, and they have their own experiences with regard to employing a systems approach.
Sandhu stated that the need for a systems approach was first recognized in the late 1990s during the Kargil episode. A large number of regulars and irregulars of the Pakistani Army entered the Indian side of the Line of Control in a part of Jammu and Kashmir, and remained there for some time until they were evicted. There was a Kargil Review Committee, and then a group of ministers read the recommendations that flowed out of the four task forces that were established. One of the main recommendations was that India needed to have a MultiAgency Center, which meant that all of the agencies involved in security, in collecting intelligence, and in implementing preventative plans should be able to get together. This was not just to make them collectively aware of what the threats are at a particular juncture but also of how to formulate response strategies so that the threats could be mitigated and addressed. The MultiAgency Center opened in 2001, and started with 14 or 15 agencies. Cultural inhibitions prevented participating agencies from sharing everything necessary. As result, the MultiAgency Center did not progress as well as it should have. The Mumbai attacks are an example of handicaps in India before the MultiAgency Center became effective.
There was intelligence about a possible attack through a vessel coming in across the west coast. There was intelligence to suggest that these people had taken off from Pakistan. The precise landing point and other details were not known. The Minister of Home Affairs, who is now the finance minister, P. Chidambaram, took it upon himself to breathe new life into the MultiAgency Center. He issued a new order at the end of December, creating a new means of collaborating within the MultiAgency Center. He did not opt for the creation of a crowning hierarchy in something like the U.S. DHS, because he believed that it would be difficult to aggregate under one leader. He thought that whatever is worth focusing on could be brought to the table before the agencies that were concerned.
Today, India’s MultiAgency Center has approximately 26 or 27 agencies, right across the board from Revenue to Intelligence to Response Mechanisms, and so on. They meet every day at 3:00 p.m. Every one brings to the table anything they may be aware of with respect to developing threats. A discussion is held. Responsibilities are assigned for any developing leads. The next day, all the collected information is reviewed in addition to reviewing new intelligence.
Interestingly, one of the subsystems introduced into this mechanism was the concept of focus groups. Not all 26 or 27 agencies need to be involved if the issue is not relevant to their expertise. For example, if the issue is not something associated with finances or movement of terrorist funding, the Indian Revenue Service need not be burdened with participation in those focus groups dealing with other issues. The issue is taken to the people who have provided the intelligence, those who can supplement it or create corollaries and substantiate or enrich the intelligence. Another group consists of people who are actually responsible for responding to the intelligence. These focus groups then have continuous meetings, and they work on the issue until the problem has been resolved.
Therefore, today there is a platform where all of the relevant agencies participate. Each maintains its identity, but everyone sees everything. Those that need to act have a mandate and a responsibility to do so. The founder of the center did not want to create Standard Operating Procedures for every kind of contingency because that would have introduced rigidities. Incident commanders are free to develop their own approaches.
Within this entire system of dealing with terrorism, as Augustine mentioned, the government of India has taken note of the role that the public can play in warding off terrorist threats through sheer observation of what is occurring on the ground. There are sensitization programs undertaken by every police officer with communities to enlist their cooperation and to be able to provide a better response.
The government is also installing a number of closed-circuit television cameras in big cities. Mumbai will have 6,800 cameras once they are all installed. The cameras will have very sophisticated regional and centralized analysis centers, which would then aid response forces dealing with these types of situations.
Sandhu also noted that in India potential terrorist targets are protected by first identifying the people who might be attacked. Threat assessments are conducted by all of the relevant agencies. Then a designated group determines what type of protective security needs to be provided to each individual.
With regard to facilities, India has three types of installations, A, B, and C categories. Every facility is first inspected, and then a menu of necessary security equipment is purchased for them, and they are required to comply with these purchases. In A-category facilities, an annual review is conducted and people who have access to sector-relevant intelligence go to the facility and determine whether the facility is in compliance and whether they need to adjust any part of the defense system to ensure that new threats are considered and addressed. B-category facilities are inspected once every two years, and C-category facilities are inspected once every 3 years. The door is always open for discussion to every facility director to address any new concerns if a matter has emerged in that neighborhood.
Two kinds of counter-terrorism capacities have also been developed. One requires every state to establish an anti-terror squad and special task forces. These groups have a dual role. They have a role in responding in the event of a terrorist attack. They also have a role in investigating terrorist cases. If the crime scene is not preserved, then a lot is lost right away. If the first responder is the person who has to investigate subsequently, he or she will hopefully make certain that the crime scene is protected and that the necessary experts can then come in and recover available forensic evidence available.
Sandhu added that they also increased their capacity for forensic analysis. They are now able to determine on the basis of very small, pico-quantities whether a certain explosive was used or not used, what kind of detonators were deployed, and what kind of timers were employed. That all feeds into the second part of the response, which for a complex incident or a multi-scene event, is
coordinated by the National Investigation Agency (NIA). This is a new, specialized agency that came into being about 5 years ago to only deal with terrorist crimes. Unfortunately, in the Indian legal environment and federal structure, law and order and crime investigations are handled by provincial police offices; therefore, the NIA does not investigate terrorist cases unless invited to do so.
Normally, the state response mechanism, which could be the local anti-terror squad, does the basic response work. They preserve the evidence and the NIA works alongside the local group, but is not in the lead. Only when notification is issued by the government is the investigation transferred to the NIA.
India also has the National Disaster Management Authority (NDMA) that can be deployed if biological agents, chemical agents, nuclear agents, or any material of that sort affecting large sections of the community are used. NDMA has a response capacity, including trained personnel and materials that they can move to affected areas, distribute, and use to prevent loss of human life.
To open the discussion, a workshop participant noted Augustine’s comments about the Y-12 incident. A month prior to the incident, there was an international training course on physical security at the facility. However, when there is training and then something like this happens a month later, the training does not seem to have been adequately effective. How can training be more effective?
Augustine agreed that this is a profound question to which he wished he had an answer. This was a case where the challenge was recognized, and for a variety of reasons they never were able to focus on the issues cited, and they paid a price for it.
Augustine returned to Sandhu’s comment on the recommendation that 22 organizations should be compiled. The point was made that this is difficult because one has to be careful not to create a super-bureaucratic organization without creative, imaginative, fast-on-your feet people. Just as an interesting case study, when the United States created DHS, Augustine was on the President’s Homeland Security Advisory Council. He spent a good deal of time trying to help the U.S. government determine how to organize DHS. By coincidence, at the same time Augustine’s corporation was in the process of acquiring 22 different companies, the same number of the elements of DHS. The corporation had almost exactly the same total budget as DHS, which at the time was $45 billion per year. They had the same number of employees, which was about 185,000 people.6 Within a year from the time the corporation merged those 22 organizations together, they truly operated as one organization. DHS, as good as it is, is still struggling, in Augustine’s opinion, to act as one entity. As he has learned
6Department of Homeland Security. “Budget-in-Brief Fiscal Year 2014.” Available at http://www.dhs.gov/sites/default/files/publications/MGMT/FY%202014%20BIB%20-%20FINAL%20-508%20Formatted%20(4).pdf; accessed October 16, 2014.
from spending 10 years in government, it is just a lot harder in a democracy to make things happen than it is in the private sector, where people who do not “get with the program” go somewhere else. It is just a common challenge.
S. Chandrashekar asked: If there was a terrorist attack in the United States and there was a local response, what would be the role of the security structure? What would be the role of the state structure? Who has the final authority in the United States? What is the state-level coordination mechanism in India? How effective is it? Are there jurisdictional or turf-related issues? Is there a better way to clarify this authority?
Sandhu replied that the Indian constitution outlines a certain distribution of responsibilities, and not until it is amended, and that is unlikely to happen, will it be possible to rebalance and reapportion the authority of the provinces vis-à-vis the central government. The reality of the situation is that if a terrorist strike were to occur, the administration or the jurisdiction affected would be very interested in cleaning the area and trying to successfully detect and prosecute the perpetrators. They therefore would work very hard. Also, if they fairly quickly discern that they are not able to make headway, then they would request central support and the NIA would assist. There is little resistance to requesting central support, which would entail flying in forensic teams, bomb disposal experts, and even expert investigators. For the most part, provincial jurisdictions are quite happy to receive additional assistance from the central government.
Augustine provided a similar example. One of the successes accomplished in the United States since the events of 9/11 is that there is a very clear, agreed-upon protocol of who is responsible for what. To oversimplify, the initial tactical response is left to the local organizations. If the events become greater than they are able to deal with, the federal government comes in and helps. Even in the former case, the federal government has much better forensic capabilities, for example, so the local governments can and do ask for support. There is a point at which authority transitions, depending on the nature of the attack, but it clearly starts with the local authorities and the first responders.
Another workshop participant then added to Sandhu’s statement. The participant had the opportunity to work with the weapons of mass destruction (WMD) unit of the Federal Bureau of Investigation (FBI), which had five or six members. They clearly stated that when any incident of food terrorism occurs, state officials immediately contact this unit. For food safety issues, the local and state police address the issue, but if the incident escalates, the FBI or federal police are called.
Augustine added that there is another interesting aspect to security. Approximately 90 percent of the assets that are to be protected in the United States do not belong to the government. They belong to the private sector. We are not as good as we need to be in incorporating the private sector. There certainly has been work done in that area through industrial associations and through contacts with individual organizations. For example, U.S. power systems, food supply, rail transportation, air transportation, and any number of other critical elements are principally in the private sector.
Following up on the issue of federal and state coordination, Stephen Cohen suggested that it would be useful to compile case studies or examples and compare the two countries’ experiences. There is obviously going to be cooperation in the event of a crisis. It may be helpful to systematically examine how this cooperation adapts based on lessons learned regarding prosecution, preparing for future events and immediate response. This may be an area for larger collaborative work involving social scientists and perhaps historians.
John Holmes supported Augustine’s comments as one who had served as a federal responder and then became a local responder. The blueprint that the United States uses is the National Incident Management System (NIMS), which is available through the Federal Emergency Management Agency. It is exactly as Augustine described. Depending on the complexity of the events, response may begin very locally and then grow much bigger and bring in the federal government.
NIMS is a system that is designed to be very flexible as response grows to bring in other agencies with other capabilities. NIMS was developed locally in California, was adopted by the U.S. government, and has been the template that has been used for many, many years in responding to all kinds of incidents. It could respond to a WMD event although it was actually developed to respond to brush fires in California. Having a blueprint to bring everyone together to work on dealing with an incident is a flexible way of being very inclusive of all agencies. In Holmes’s experience working at the Port of Los Angeles, this system was used many times when an incident occurred and the initial response was by a local law enforcement agency and then subsequently, local officials called in customs officials, the FBI, and many of the other agencies to work cooperatively.
At the end of the day, the blueprint allows for joint handling of constituent groups and joint press releases. Everyone wants to respond to the event when an event occurs, but one also has to be able to deal with other externalities that are sometimes quite difficult, such as dealing with labor organizations and the media.
Referring to assets in the private sector, Srinivas Mukkamala stated again that 90 percent of structures and systems in need of security in the United States are owned by the private entities. This makes responding to a cyberincident rather interesting. For example, there are relatively few hospitals dedicated to treating the most critical trauma patients. These essential hospitals are vulnerable to cyberattacks that could deactivate electrocardiogram machines, electroencephalography machines, endoscopes, and ventilators. Recently such an incident occurred at a trauma hospital. Local and state law enforcement agencies do not have the capability to detect or thwart cyberattacks. In the case of the trauma hospital, private forensics investigators were brought in. The state police observed and coordinated with the Justice Department. Rather than making it a cyber law enforcement incident, responders wanted to contain the attack first. They contained the attack in the same way one would address an attack on a
civilian facility. Once they were able to bring the hospital back online within 24 hours, law enforcement responses began.
Many responses work in a cohesive way rather than running into restrictions. They try to contain the attack first and then determine the proper jurisdiction. If it is a multistate incident, the FBI has jurisdiction. The incident described involved multiple countries; therefore, the Justice Department involved several other counterterrorist specialists to determine if the incident was one of terrorism or if it was a different type of attack from a particular country. More than seven departments worked together on this incident, and this is occurring more and more frequently, especially during cyberattacks. In the United States, there are several FBI field offices that have the capability to be called in to help immediately.
David Franz noted that Augustine mentioned the importance of culture in the systems approach to dealing with terrorism. Culture, Franz believes, is defined by humans with leadership skills and with technical depth. Having expertise in many areas is important in dealing with terrorism because there are so many unknowns. One cannot plan for a specific kind of a problem.
In the world in which Franz grew up, which was the military, medical, biological defense world, the environment went from the Cold War, in which there was deep technical expertise, to a model where the United States is running people through the system and checking boxes and making sure they had some experience, but not leading. The system was trying to promote staff, but not leaving them in place long enough to become experts. How is this system working in India, and has a solution been found to ensure that the right young people will have expertise and leadership skills? A participant from India replied that this is an area where they are still challenged. They have not been able to overcome the cultural obstacles to create a uniformly acceptable plan of action.
In reply to Micah Lowenthal’s request that Augustine share some of the mistakes that were made in DHS that inhibited the systems approach, Augustine said that he should probably preface his remarks by saying that, overall, he thinks the creation of DHS was the right thing to do and is being carried out very well. There are clear short-comings. The principle short-coming in his mind is having several independent “stovepipes” (separate hierarchies of authority, responsibility, and communication that do not interact). Today, there is one organization with many independent stovepipes, and those stovepipes have to be broken down. That requires strong leadership at the top and strong support at the bottom, neither of which are always easy to come by. This will happen, but it is taking a lot longer than Augustine thinks it should have.
Also, he believes that DHS is not as advanced as he had hoped they would be in technology areas. The original plans included a strong technology effort within or at least funded by DHS. That technology effort has never grown to the degree that many in the United States had hoped it would, partly due to a cultural issue associated with the fact that most of the entities that made up DHS were not high-tech organizations. The leadership was made up of people who general-
ly did not have strong technology backgrounds, although there are exceptions. Funding is also an issue. That particular effort was just not funded.
Rita Guenther then asked a question first of Sandhu: Who might comprise the review committees mentioned in his earlier remarks, and how is the scientific expertise for those review committees sought, when the area or the topic permits it or would benefit from it? She then asked a question of Augustine. As someone who has a very broad and diverse set of experiences, how should one go about organizing the thought process to start a systems approach? In other words, how should one begin the thinking before one actually can implement a systems approach? Is there a set of questions that one should ask? How does one even start to think about developing that systems approach?
Sandhu replied that the review committee he referred to deals with the issue of monitoring of communications. It might astound the audience that India depends on legislation from 1885 to conduct monitoring. It is called the Indian Telegraph Act. The second and supplementary legislation that aids in this area, particularly for data, the Information Technology Act, was adopted in 2000.
The Indian Telegraph Act of 1885, Section (2) gives the government the authority to monitor communications. It has been under review several times and it has been challenged often. The most detailed and critical judgment came out of the Supreme Court in 1999. First, it upheld the authority available to the government under the Telegraph Act to carry out monitoring in specific cases. Second, it laid out guidelines as to how these authorities are to be exercised. Third, the court insisted on a better review mechanism. The government had to do all of this. Then they went back to the Supreme Court for their determination of whether or not what they had put in place was satisfactory. With reference to the approvals, first, if there is anything within the government that needs monitoring, there are only seven or eight authorized agencies that can do it. They have to present the reasons for the request within the institution. The head of the institution has to be satisfied that the request is actually justified. He or she will then approach the union home secretary. That is like the federal person in charge of internal security. The home secretary’s office will examine the request and decide whether to accept it or not. It is worth noting that all requests have to relate to a specific entity. One cannot just draw buckets of traffic out; the request has to be in reference to an entity. A decision is then taken. It is interesting to note that 20 percent of the requests made are rejected.
If a request is approved, every month thereafter a review committee meets, including the Cabinet Secretary, the top-most official of the government of India supported by the law secretary that looks after the legal affairs within the government of India, and the Department of Telecommunications secretary, who is not a part of the authorization process, but whose department facilitates the implementation of the authorization of the Home Secretary. They look at these orders and decide which ones can be allowed to remain in effect and which have to be withdrawn. There, again, there is a 5 percent rate at the end of the review committee.
Orders are usually valid for 60 days, and the review committee meets well within that. If the committee judges any particular activity to be inappropriate, it is terminated, and everything related to that activity has to be destroyed right away. That is how it works. Incidentally, this process of the review committee was taken back to the Supreme Court. They were asked to satisfy themselves as to whether this was adequate, and they approved it. Ever since, it has continued as such. We have had many interventions by enthusiastic lawyers who still wish to question the methods in place. The Supreme Court has again come back and said this process was sufficient.
Augustine responded to the question about how one would go about creating a systems capability, for example, within DHS or within the government as a whole. Unfortunately, traditional organization charts do not lend themselves well to taking a systems approach. The reason for this is that organizations tend to be broken up into entities that carry out a given function or given mission, which makes a lot of sense. It does not lend itself well to making trade-offs between the various elements of the organization.
Augustine believes that what is needed is a very small group at the very top with the overall assignment to prevent terrorism. That is simple in statement, but not simple in execution. That group should have the overview to address any issue that relates to terrorism and its impact. Years ago, he served at the U.S. Department of Defense (DOD), which, at that time, was certainly stove-piped. There were very few trade-offs made. Then during the Cold War they created a small group made up of perhaps 20 very imaginative people. They were given the task of being creative and innovative and to do an analysis of the trade-offs. They made trade-offs between civil defense and the number of submarines. The first reaction was: How is that done? They never came up with a universal equation that let one do that, but they shed a lot of light on it. Basically it became an issue of how one invests resources to deal with this overall issue.
At the time, Augustine was in DOD and was always amazed that for many years a third of the budget went to the army, a third to the air force and a third to the navy. It is quite a coincidence that that should be the optimum way to spend the budget. He was not suggesting it was easy to get away from that, but movement was made. Budget allocations need to change from time to time depending on the circumstances. Augustine added that he is a strong believer that a systems group as he has described needs to have not only a strong intelligence input but also a strong red-team that can pretend to be the other side, or to be the bad guys and try to think like the opponents think. That is not usually done. That does not make it less important.
There is significant benefit to be gained from that approach and from bringing in independent, outside thinkers to challenge them. When he was involved with the army, there were some facilities that he was concerned about and the army assured him that they were absolutely secure. He went to the Air Force Special Forces and the Navy Seals and asked how secure the U.S. Army’s facilities were. Of course, this became a great challenge to them. “We learned a lot of things that we would not have learned by asking our army.” He did not
intend to demean the army in anyway, but one can become brain-locked, and that is what one has to avoid.
Another participant asked a question of Sandhu. There are systems approaches when developing a plan, and conducting research and development for defense activities, but when responding to a terrorist attack, following the systems approach can prove to be very lax, as occurred in the Mumbai terror attacks. It took 3 days to eliminate all of the terrorists. There must be a need to develop state forces for counterterrorism tasks. There must be some out-of-the-box thinking to respond quickly to such attacks.
Sandhu replied that he does not think it was a lack of a systems approach that detracted from the efficiency that needed to have been brought to bear on the Mumbai attacks. There are internal reviews that have brought forth facts, which are not in the public domain and which he was not free to discuss. No matter how good the system is, it will not be effective unless people are efficient.
With regard to the state police forces that need to have antiterrorism response capacity, first, the National Security Guard, which is the key response mechanism, now has four regional response hubs. Mumbai is one of the hubs, along with Calcutta, Bangalore, and New Delhi. That brings the response capacity closer to the possible areas of attack. India also has a new group created after the events in Mumbai: Force-1. This is a state-owned capacity to deal with terrorists in a tactical manner. It is something like a SWAT team with no component for investigation. Rather than create new forces, other states are going into the domain of reinforcing their antiterrorist squads, and their special task forces so that they have what is necessary to deal with a terrorist incident.
Cohen asked Sandhu to provide suggested readings on the Mumbai case. The Siege, by Canadian and French journalists, has received considerable attention in the United States.7 Is there a better book? What, in the public domain, would be a useful guide?
Sandhu replied that the National Institute for Advanced Studies has done a great job inviting people to speak at this workshop about the Mumbai attacks. The joint commissioner of police in Mumbai is one of the people who was at one of the attack sites and actually fought the terrorists and was injured in the process. He is very familiar with what happened and how it happened. He has been associated with all aspects of the tactical response, the investigation, and the reviews that followed. There is also a report by R. D. Pradhan on the Mumbai attacks, which is available on the Internet.
A participant asked Augustine about how DHS was established, how leaders with strong technical backgrounds were identified, and what role they actually played in establishing DHS. Augustine replied that he was referring to the importance of having people with a strong technical background because so
7Scott-Clark, C. and A. Levy. The Siege: 68 Hours Inside the Taj Hotel. New York: Penguin Books, 2013.
many of the problems and so many of the solutions to the problems the world faces are technical. Certainly, terrorism is an example in many instances, but not all. Because it is important to have competent technical people in senior jobs where there is a lot of technology involved, Augustine wished he could say that they were successful in attracting a large number of technical people into the government to do this. Frankly, in his opinion they were not.
There are some technical people at relatively senior levels, but they are disproportionately few. For some reason, within the United States, it is fairly unusual for technical people to take senior positions in government. There is trivial representation by technical people in the U.S. Congress, and Augustine thinks that this is one of the concerns that the United States should have. This is partly the fault of technologists, such as himself, who do not want to be involved with politics. Many find it offensive, so it is hard to get them into government. It is not hard, however, to get them to criticize the government.
Another issue is that over the years, many conflict-of-interest rules have been created that have made it very hard for people to have a career both in government and outside of government. Augustine spent two tours in government, and that would not be possible under today’s conflict-of-interest rules. Some would say that is good, and others would say maybe it is not.
Another participant asked about bioterrorism. Since the 2001 anthrax attacks, considerable focus globally has been given to the bioterrorist attacks and to biothreats emanating from national sources as well. However, there were relatively few casualties in the United States as a result of the anthrax attacks. Subsequently, in 2009, as a result of the swine flu pandemic, there was a large number of casualties all across the world. This raises the question of addressing the issue of biorisk management from two perspectives. One is from the security-centric perspective, and the other is from the public-health-centric perspective. Irrespective of the sources of this accidental or deliberate act, the consequences are almost similar. How would a systems approach address this to create a balance between these two, not entirely complimentary, but a little bit contradictory, perspectives to manage the biorisk? At the same time, this also involves a great deal of intersectoral cooperation between the security establishments and the public health professionals. How does a systems approach address these two issues?
Franz replied that this is a very important point. He has long said that we should have an all-hazards approach, and in the United States, the Centers for Disease Control and Prevention (CDC) should be the lead agency. This, again, is a cultural issue. Franz believes that CDC feels that there are more important issues to address than security issues, although they have become much more involved than they ever were. They were first funded for biosecurity activities in 1998. Before that, they had no funding for this type of work, but they did work with DOD to some degree. As long as there is one group waiting for a bioterrorism attack, which may be rare, and another group working with naturally occurring and emerging infectious diseases, which are quite common, the second group will be the most competent to deal with the bioterrorism attack. Franz
would use an all-hazards approach with the medics and CDC in the lead if he had the choice, and then add a few extra important capabilities that would be needed to respond to a terrorist attack. He believes, however, that the United States has looked at bioissues mainly as a security problem and has added some medical capabilities into the mix.
A participant followed up with a question about how to balance the security and technical aspects, especially in areas such as bioforensic investigations that require technical expertise. Is this also in the domain of law enforcement? How does one manage this balance?
Franz replied that he believes that the United States has been quite successful. Right after 9/11 and 10/04 (the anthrax letters), an FBI individual was placed with CDC teams as they did their epidemiological studies of naturally occurring outbreaks. This was a very positive and very useful step. Now there are FBI forensic experts who have an understanding of medical and infectious disease epidemiology, which they did not have before. This was fairly easily done. It would be better to have the medics in charge and add in the security expertise as needed, rather than have the security people responsible and add in the medics. As a medic, Franz admitted that medics do not always respond as they should in such cases, therefore, security training is also needed.
This page intentionally left blank.