This piece is Part I of Security Management's 9-11 Anniversary Special Focus. In this issue we examine the evolving terrorist threat and the progress made in understanding and countering it. In Part II [2], ASIS leadership recount how they dealt with events on that day. One of the architects of the Suspicious Activity Reporting program shares insights into its formation and expansion in Part III [3]; and in Part IV [4], we review the prospects for the newest attempt at a trusted traveler program.

There’s an eerie pre-September 11, 2001, feeling in the air. Post-9-11 terrorist plots to hit targets within the United States have been, in the public’s mind, mostly nonevents. They ignore them just as they ignored the 1999 millennium bomb attempt, because most of the would-be terrorists have been thwarted before they could cause any harm. As a result, one reads statistics like this, from Harper’s Magazine: “Ratio of Americans killed by lightning since January 2002 to those killed by terrorism: 3:2.” The implication is that the threat is overblown.

A familiar complacency is building, leading to less tolerance of the measures and money that it takes to provide security. Bloggers and privacy rights groups rail against intrusive measures such as body scans. Government agencies are at the same time criticized for not doing more to keep out would-be terrorists and tighten border security. Obviously, there’s room for improvement, and no one can defend all the missteps—nor should they—but against this backdrop, it’s easy to lose sight of the enormity of the challenge and the real progress made in the 10 years since terrorists flew planes into the Pentagon and the Twin Towers.

Threat Level

Let’s go back to Harper’s statistic: More American civilians have died from lightning than terrorism since 9-11. What does that really say about the level of the threat? As we are learning the hard way, it’s a mistake to let down our medical defenses against diseases such as measles that seem in abeyance. If we remove the countermeasures that reduce the risk, the threat returns. The public confuses the risk (the size of the problem after preventive measures are put in place) with the threat (the underlying problem).

How should we assess the real level of the threat 10 years out from 9-11? One way is to consider how many people might have died if known terrorist plots had been completed. Former Department of Homeland Security (DHS) Assistant Secretary for Policy Stewart Baker, speaking at a congressional hearing on aviation security, pointed to the 2006 plot to blow up 10 planes heading for the United States from Britain, among other known plots, to show that the threat is real, adding, “Many other efforts have been foiled at an early stage and have not become publicly known.”

Baker was referring specifically to airplanes. But, of course, they are not the only credible target. “Another area that we do have to pay more attention to is surface transportation,” says Brian Michael Jenkins, senior advisor to the president of RAND Corporation, who has been researching the issue with the Mineta Transportation Institute.

Jenkins notes that since 9-11, there have been six jihadist terrorist plots targeting surface transportation in the United States. All were disrupted, but they prove the threat is not theoretical.

Looking more broadly, Jenkins says he knows of 10 jihadist plots that reached the operational stage. Those numbers are sobering if you think about the havoc wrought on 9-11 by a single plot.

But Jenkins puts the threat in perspective. “There is no evidence of a terrorist underground, no army of sleepers. Just veins of resentment and hotheads. It doesn’t mean they are not dangerous, but...they have not proved to be self-starters or competent,” he says.

And while al Qaeda has increased its propaganda via the Web and improved the quality of its communications, “thus far those exhortations fortunately have produced meager results,” Jenkins notes.

It hasn’t hurt that al Qaeda alienated many possible allies within Islamic countries by killing Muslims in many of its terrorist attacks around the world. And the Arab revolutions, though carrying long-term risk as to how they play out, have in the short term made al Qaeda’s calls for violent jihad less appealing, agree many security professionals.

Some experts aren’t as sanguine about these political movements; they worry about the toppling of key allies, behind-the-scenes string-pulling from Iran and Russia, and the potential for the chaos to give the Muslim Brotherhood an opening. But if these structural and societal changes result in more democratic channels in the Middle East, that “makes violent channels less attractive,” notes Professor Paul Pillar, a noted terrorism expert formerly with the CIA and now a visiting professor at Georgetown University.

All of these factors—loss of support, loss of leaders, the revolutions—have weakened al Qaeda. But as Pillar notes, “It has been the case for years now that the instigation has not come from al Qaeda central.... If one looks at these individuals who have come to light here in the United States from Nidal Hassan to Najibullah Zazi and others, in almost every case, the initiative was coming from the individuals here...Nidal Hassan was the one making contact with Anwar al Awlaki, not the other way around,” Pillar says.

And National Counterterrorism Center Director Michael Leiter noted in December 2010 that several al Qaeda affiliates have emerged as “self-sustaining, independent movements.”

We also can’t count al Qaeda out, and, adds Jenkins, the elevation of al Zawahiri to the al Qaeda leadership suggests that the focus will remain on attacking the United States.

One more noteworthy statistic with regard to the threat is that, according to a study by the New America Foundation and Syracuse University, the number of jihadist terrorism cases involving U.S. citizens or residents spiked recently, with 76 occurring in 2009 and 2010, almost half of the total for the prior six years since 9-11, though as of mid 2011, there were less than 10 for the year.

Assessing Our Response

If the threat is real, what’s the real reason we’ve gone this long without a big hit? We’ve kept al Qaeda on the run, toppled (at least for now) the Taliban, taken out key al Qaeda leaders like Abu Musab al Zarqawi, and, most recently, killed Osama bin Laden.

That’s not happenstance. “That’s all related to real-time decision making...based on the ability to integrate the intelligence with the operations,” says Alan J. Borntrager, CPP, member of the ASIS CSO Roundtable and director, security and safety department, Corporate Services Division, SAS World Headquarters.

That’s not just happening within the military and intelligence establishments. Private industry is getting better at information-led security, says Borntrager. “We are on the constant hunt for what other intel, what other data, we can add to the mix in order to make that informed decision,” regarding countermeasures, he says.

Mostly, that data collection is for internal use, to help companies calibrate their security to their own threat level. But in some critical industries, front-line personnel have also effectively become resources for the intelligence community.

For example, at Schneider National Inc., which has worldwide transportation and logistics operations, truck drivers “have really stepped up to the understanding that they have a responsibility to let someone know if something isn’t right.... We report that to the FBI,” says Walt Fountain, CPP, director, loss prevention and enterprise security at the company and an ASIS CSO Roundtable member.

It was thanks to this type of awareness training that an observant employee knew to alert authorities about suspicious materials being sent to Khalid Ali-M Aldawsari, a Saudi student in Lubbock, Texas, explained Martin Rojas, vice president of security and operations for the American Trucking Associations (ATA), when testifying at a House committee hearing on transportation security in July.

Officials at the chemical company that sent the material also alerted authorities. They contacted the FBI. Louis E. Grever, executive assistant director of science and technology branch at the FBI, speaking at a meeting of InfraGard, the FBI’s public-private alliance, called these alerts from chemical houses and trucking companies the tripwires that “give us an edge.” But he acknowledged that we have to credit multiple factors for the fact that so far such plots have been interrupted. “Some of it is luck. Some of it is our institutions. Some of it is they are not very good at it; they don’t get that root level training.”

Information sharing. Because it’s better to strengthen the factors we can control and minimize our reliance on luck and the would-be terrorists’ incompetence, there is a continuing push for greater information sharing.

“That’s the “strongest tool that we have to stop potential terrorist plots,” Rojas told Congress. He noted that the ATA is involved in a number of initiatives to facilitate information sharing, such as the Homeland Security Information Network and InfraGard.

Rojas cites the Lubbock, Texas, incident as evidence that “we don’t need more regulation, we need more cooperation.”
At the same hearing, Thomas Farmer, assistant vice president of security for the Association of American Railroads, said that the rail industry has repeatedly asked the DHS and the Transportation Security Administration (TSA) for a more thorough analysis of past terrorist incidents. He said that DHS advice to companies to be aware of the terrorist planning cycle and look for opportunities to deter or disrupt attacks was all very well, but the agency’s advice needed to be supplemented with more details on each phase, the goal being to identify opportunities where particular security measures might be most effective. “In essence, we are seeking to expand the concept of ‘actionable intelligence’ to include analysis that creates opportunities for security,” he said.

Tim Janes, CPP, CSO of Capital One Bank and also an ASIS CSO Roundtable member, agrees. “[W]e continue to need more public-private partnerships, more communications of really actionable information between government and the private sector.”

Borntrager notes that there have been “huge strides forward” but the information passed on to industry from fusion centers and information analysis centers is still “CNN-heavy”—in other words, drawn from open sources.

Despite general agreement about the need to share, “we’re having difficulty executing that really well,” agrees Janes. But he says that efforts are underway “with some groups like ISMA [the International Security Management Association] and the CSO Roundtable of ASIS, in conjunction with the Department of Homeland Security and the President’s National Security Council, and some of the other government groups to try to figure out better mechanisms to move the right level of information back and forth.”

While the sharing between the federal agencies and industry is a work in progress, within sectors, competitors are far more open to sharing safety and security information than before 9-11. In trucking, for example, says Fountain, “We are not concerned at all about picking up the phone and saying to a competitor, ‘This is happening to us. Do you see it happening?’ If the other company says to me, ‘Yes, we are having that,’ we share investigative resources and data to broaden past incidents in our operation.”

Progress has also been made in smashing the silos separating intelligence agencies. Speaking before a congressional committee on intelligence reform 10 years after 9-11, former Director of National Intelligence (DNI) Admiral Dennis C. Blair said that he was encouraged by the fact that, “As I talk to people, the younger they are, the more they get it; they are prone to sharing. They don’t have the baggage of bureaucratic wars.”

But Blair also noted that reform of the intelligence community is “unfinished business.” He said that some authority intended for the DNI “has migrated back to the CIA,” and he said that he left office “frustrated by the lack of support for a strong DNI.”

Jenkins points out two other concerns with intelligence information sharing across silos: First is what he calls a “hub and spokes” problem—fusion centers and local police departments share up the chain and down, but not laterally across jurisdictions. Second, as the federal and state governments struggle to reduce spending, he expects some fusion centers to lose funding, maybe even to the point of having to shut their doors. That prospect only exacerbates the fact that intelligence professionals don’t see fusion centers as a good career move, he says.

Jenkins also points out that talk of connecting the dots through information sharing shouldn’t overshadow the importance of collecting the dots in the first place. That means domestic intelligence, and that’s a touchy subject in a democracy, but it’s more important than ever “if we are steadily moving into an environment where it’s more likely that plots will be locally generated,” he says.

Who’s the enemy? A call for more domestic intelligence to catch the homegrown terrorist is probably as good a segue as any to lead to the elephant in the room: How should we describe the enemy? The Obama administration has been criticized for avoiding the words jihad and Islamist or radical Islamist in its 2011 National Strategy for Counterterrorism. Instead, it names specific groups, al Qaeda, and affiliates, such as al Qaeda in the Lands of the Islamic Maghreb (AQIM), along with Hamas and Hezbollah, and the Revolutionary Armed Forces of Colombia (FARC), the latter being the only non-Muslim group. “Aha!” comes the criticism. “They just won’t admit we’re at war with Islam.”

But are we? Should we be? Borntrager observes that India has one of the world’s largest Muslim populations, yet none of the 9-11 hijackers came from there.

Critics will say that while not all Muslims are terrorists, all terrorists are Muslims. That’s simply false. All 9-11-related, al Qaeda-affiliated terrorists are Muslim, but that’s a circular argument. It’s like saying that all members of the Jewish Defense League, which embraces violence, are Jewish.

It’s not useful to conflate the concept of Islam as a religion with the fact that we are at war with very specific actors: al Qaeda and what they inspired—a panoply of radical Islamist jihadist groups. But it’s also not useful to be afraid to categorize these organizations’ followers as radical jihadists and to rationally discuss the threat. So, for example, it’s legitimate to discuss concerns about prison radicalization, but it’s unfortunate that Rep. Peter King (R-NY) couched hearings on the issue in a way that has riled some communities,” notes Pillar.

Pillar also admits that “policy elite types like myself have tended perhaps to be too complacent with regard to our Muslim American communities” being well integrated into society; it’s been shown that homegrown radicals do exist.
But Jenkins points out that if you compare the total number of U.S.-based jihadists apprehended since 9-11 to the American Muslim population of several million, you get a rate of about 6 per 100,000. To put that in context, Jenkins says, consider that the prison population exceeds 700 per 100,000.

It’s also worth noting that more than one-fifth of those cases came to light because Muslim community members or family members alerted the authorities, according to the New America Foundation study. Indeed, asserts Pillar, “people at the FBI and major police departments will repeatedly tell us, the best information they can get in finding needles in a stack of needles is voluntarily provided information from members of the community itself.”

It seems clear that destroying those lines of communication and trust is not helpful to the cause, nor is a head-in-the-sand approach to the nature of the risk that may lurk within those trusted communities. Yet 10 years after 9-11, that’s still a source of contentious debate.

Government measures. It’s impossible to do a full analysis here of everything DHS has tried to do since its establishment in 2003. Suffice it to say that for every aspect of homeland security, many gaps remain, and on a micro level, problems are legion—every Government Accountability Office (GAO) report and homeland security hearing enumerates an endless array. For every claim of progress from the agencies, there seems a counterclaim of failure. Visas aren’t sufficiently reviewed, borders aren’t sufficiently guarded, weapons slip past screeners, and so on.

But if we assume the failures are not willful, we might ask whether we have put agencies in untenable situations. Take airport screening as an example. With regard to screening people, the agency has three basic options: Look at travelers’ backgrounds, look at their behavior, and look at their bodies. The agency has tried all three but gets criticized on all counts without regard for the fact that they have to operate in the real world, where no solution works perfectly.

As Baker pointed out in his congressional testimony on airport security, privacy advocates have thwarted TSA efforts to gather background information on domestic travelers that might help screeners narrow their focus, yet the same groups object to TSA treating everyone equally in terms of pat-downs and body scans.

The agency is now trying to thread that needle by again attempting to pilot a trusted-traveler program. Rather than looking into the backgrounds of all travelers without their permission, the trusted traveler program will let people volunteer to provide information so that TSA can give them less scrutiny. (See related article, page 82.) Even if that works, and it’s a big if, that will still leave the agency with a very large population of low-risk travelers whom it must treat as equally presenting the potential of a terrorist risk.

To that end, since 2007, it has also tried the third arrow in its quill—looking at behavior. Counting the FY2012 request, the agency is on track to have invested $1 billion in training behavioral detection officers (BDOs). How’s that working? It depends on how you choose to look at the issue. The GAO noted that “the scientific evidence for behavioral monitoring is preliminary in nature,” leading to media headlines that bemoaned the waste of $1 billion in federal dollars on an unproven program.

But “preliminary in nature” isn’t the same as bad. The same GAO report noted that the DHS’s validation study found the program “more effective than random screening.”

Additionally, an April 3, 2008, TSA report notes that a BDO caught a passenger acting suspiciously who was about to board a flight at Orlando International Airport. He had a bag containing various items that could be used in bomb making, along with bomb making literature.

In a world where the terrorist threat is real but the actual number of cases among about 800 million passengers yearly is infinitesimal, the number of times you get a hit will be extremely small. That needs to be considered in evaluating any terrorism program’s value.

Business Security

What do private sector companies do differently with regard to security as a result of 9-11? “I think there’s been quite an evolution in terms of the business function of our security operation here at Capital One,” says Janes, who, having joined the company as the number two security person shortly before the terrorist attacks, has seen the change firsthand. “We are certainly better in tune with travel safety, threat analysis, and crisis planning [including] business continuity,” he says.
Other company CSOs interviewed voiced similar shifts in emphasis. “We talk a lot about resilience,” says Borntrager. “That’s not a term that really came up before.”

Borntrager mentioned the Private Sector Preparedness Accreditation and Certification Program (PS-PREP) as something his company looks to for guidance in formulating programs. It’s worth noting that before PS-PREP, which is a voluntary Federal Emergency Management Agency program that ASIS helped develop, there was not a set of standards businesses could reference when trying to develop all-hazards programs. So an ancillary effect of post-9-11 planning has been greater preparedness and continuity planning for a range of potential disasters far more likely than a terrorist attack.

Ill-effects. With regard to response capabilities, if an event should occur, many businesses are individually more prepared for a disaster. But the U.S. healthcare system is less prepared, warns Dr. Robin McFee, medical director of Threat Science, a security consultancy, and a member of the ASIS International Global Terrorism, Political Instability, and International Crime Council.

After the anthrax attacks that came shortly after 9-11, “a lot of money was pumped into training on bioterrorism and chemicals and radiation. Hospitals were incentivized to enhance their training,” she recounts. Then “the dollars started shrinking, and so did the interest.”

Emergency medical services providers aren’t getting pandemic preparedness. And in terms of surge capacity, the ability of hospitals to take care of mass casualties, “that not only hasn’t been fixed, we are in fact seeing a backslide,” says McFee. Numbers from the American Hospital Association show a clear downward trend in terms of numbers of beds available per 100,000 persons.

But it’s not just how much money there is. Michael R. Cummings, CPP, director of Loss Prevention Services at Aurora Health Care, says that he would like to see more accountability and more risk-based allocation with regard to who gets the money and how it’s used by hospitals.

Outlook

The post-9-11 world has been psychologically stressful, but ironically, as Jenkins puts it, “With the exception of Nidal Hasan’s attack in Ft. Hood, this has been the longest run in U.S. history going back to the 1960s without a major terrorist incident directed at U.S. targets at home or abroad.”

That’s good, but it leads to a false sense of security. Overall, says McFee, “The perception is that the threat isn’t as immediate anymore, so the message is ‘yeah, be prepared,’ but the emphasis isn’t there.”

The problem, notes Jenkins, is that “The threat landscape that we see today is pretty much what we are going to see for the foreseeable future.” We have to “learn to go long” and put security measures in place that will be financially and politically sustainable.