Flynn: Disturbing Lack of Attention Paid to America’s Security Vulnerabilities

For the first time since September 11, 2001, passengers at U.S. airports this week were allowed to bring nail clippers, small scissors, and other items onto aircraft as the Department of Homeland Security modified emergency provisions enacted after the 9/11 attacks. Hardly a milestone, yet according to Stephen E. Flynn, the Jeanne J. Kirkpatrick senior fellow for national security studies at the Council on Foreign Relations, the focus on such things is symbolic of a disturbing lack of attention to things that really make the United States vulnerable to terrorism. "We’re putting all our eggs into one basket, taking the battle to the enemy, getting better intelligence, and extending the authority of law enforcement," he says.

But, he says, "We don’t have much of a debate about the fact that the 9/11 Commission’s final recommendations lay untouched in many cases, especially when it comes to spending wisely on first responders and hardening or building redundancy into key infrastructure. We have debates about the Patriot Act and Iraq, and sure, they warrant debate, but they don’t address the full panoply of issues that threaten Americans here at home."

Flynn was interviewed while traveling along the eastern seaboard on an Amtrak train, December 21, 2005, by cfr.org’s Executive Editor Michael Moran.

What is your take on the president’s admission that the National Security Agency (NSA) has been spying on Americans?

On domestic spying, this touches on one of the key concerns that have animated my work. I believe that when it comes to protecting and safeguarding the American people, we must not only focus on the dangers posed by terrorists and their weapons, but we must be mindful of the need to protect ourselves from ourselves. This is a big part of what a homeland security mandate should be—protecting not just physical and living things in America, but also America’s way and quality of life. The do-whatever-it-takes mindset, whether it’s torturing people in Guantanamo Bay or spying on your own citizens, is the kind of perverse argument made by those who argue that there’s no way to adequately safeguard the country here at home because we just have too many soft targets which we can’t possibly afford to adequately protect. This defeatist view about what can be done to make ourselves more resilient at home leads to the kind of advocacy we have been hearing in recent days from the President and Vice President for extreme measures to prevent acts of terror that we would never have considered before. There’s no question, in my view, that dealing with al-Qaeda and the ongoing terrorist threat requires a different level of and different kinds of authority than existed before 9/11. But as a core principle, if you’re going to raise the authority of the government to a new level, then you have to raise the bar on accountability. Unfortunately, what we seem to have today is a constant rising of government’s level of authority with a diminishing level of accountability. The result of that, in the long run, will be a backlash by the public and a loss of support for important measures, particularly as the time between terrorist incidents expands.

How important is the Patriot Act to American security?

It is important that the bulk of the Patriot Act be renewed, to my mind. Yet some of the more controversial elements of it—such as allowing law enforcement access to a citizen’s library records—should be open to negotiation given their marginal importance to law enforcement, particularly when a potential terrorist is far more likely to spend time on the internet than checking out a library book. The argument that these more controversial elements can’t be removed without crippling the act is not true. They can potentially be pared down while still protecting some of the more essential authorities that the act provides. Meanwhile, while we hear endless arguments over access to public library records, one of the most basic tools to support counterterrorism—a single, coordinated national watch list of terrorist suspects—still has not been created. There still, to this day, are several watch lists maintained across the U.S. government, feeding confusion among frontline inspectors with the result that the wrong people are being targeted and potentially the wrong people are being allowed to enter the country.

The imperative that there be far better information sharing within the federal government and among state and local law enforcement agencies was one of the most important and basic recommendations of the 9/11 Commission. The former Commissioners released a report on December 5th that gave the government a D for a grade on how they are doing on this. Yet I see little or no focus on it in the public debate. You get the sense we’re mired in debate over access to a very small universes of marginally useful data, while the big glaring gaps in sharing information already available to law enforcement that might help prevent acts of terrorism go unaddressed because of unresolved turf battles or a lack of investment in new technologies. I don’t see that the administration is embarrassed by this situation. Instead, they seem to want to play political hardball over homeland security. I think it is reasonable to allow a temporary extension on the renewal of the Patriot Act to allow the controversial elements to be debated. Instead we seem to be seeing a replay of the same kind of jockeying for partisan advantage that we saw in the fall of 2002 when Democrats voiced their concerns about proposed changes to federal employee rules for the new Department of Homeland Security and Republicans branded them as being soft on terrorism. A several-month extension allows Congress to deliberate on the more controversial elements of the Patriot Act. It is nonsense to portray this extension of existing authorities as something that is endangering the American public, especially in light of recent revelations about domestic spying.

Should we really be surprised the National Security Agency, given its mandate and secrecy, is spying on Americans?

There’s little question that our technology is such that identifying tidy boundaries and jurisdictions of NSA’s work seems almost quaint. As we fly around the planet with the same cell phone, downloading emails and holding conversations, it becomes very difficult to distinguish between what is foreign and domestic. At a more basic level, I wonder about NSA’s actual ability to glibly separate domestic from foreign sources in the flow of communications that exists today. It probably is not, strictly speaking, possible.

Yet the real issue here is whether NSA and other intelligence agencies are operating with oversight. The requirement that intelligence agencies operate under oversight was put into place in 1978 for a reason -- because before that, they conducted operations that crossed lines and ultimately lost them the support of the American public. Again, it’s important that if you give government increased authority, there has to be a mechanism for oversight and accountability should that authority be abused. If abuse does occur, as a practical matter, you’ll lose public support for what may be a necessary capability. I don’t understand why the administration would simply dismiss going through the special court process that exists. Washington seems to have loss sight of the fact that at the end of the day, there will never be enough spies, censors, cops on the beat, to protect Americans against terrorists’ intent on inflicting harm. Ultimately, it takes a much more engaged citizenry, and you can’t get there from here if the citizenry senses they are losing elements of their rights and their faith in the transparency and honesty of government.

Well, you’re now traveling on one of the most important rail links in the United States, the New York-Washington corridor. How much safer are you on Amtrak today than you would have been on September 10, 2001?

An argument that I have been trying to make about our post-9/11 world is that we have to assume that our most critical infrastructures that underpin our economy are becoming increasingly attractive targes for terrorist groups like al-Qaeda. This perspective runs a bit contrary to the conventional view of terrorism being primarily about spectacular acts of violence that kill lots of people. In my view we need to inventory the things in our society that are both critical and currently vulnerable and quickly work to make them more resilient. Resilience can take one of three forms. One way is to harden things such as putting Jersey barriers around important buildings to keep truck bombs from getting too close. Another is redundancy. For instance, the distribution system of our electric grid would be more resilient if we have an inventory of spare electrical transformers so if one is targeted, it can be replaced quickly and power can be readily restored. Having spares would make transformers a less attractive terrorist target. The third form is to make your response capabilities as good as possible. For instance, the Trans-Alaska oil pipeline really doesn’t lend itself to hardening or redunancy. But quick response to a repair an accidental or intentional breach in the pipeline could be an effective deterrent. An emphasis on one or more elements of resiliency would depend on both balancing the potential consequences of a successful terrorist attack and the costs associated with each of the resiliency options. For instance, in the case of nuclear power plants and key chemical plants, you’re looking at hardening them since the potential for catastrophic loss of life is high and the cost of building spares is prohibitive.

For rail or mass transit, the issue is more economic than loss of life, and the approach to managing the threat is more about effectively managing the response to a possible attack versus trying to harden the system to prevent every possible attack. The London attacks [on the public transit system July 7, 2005] illustrated this. On its face, the conventional wisdom of terrorist being only interested in spectacular acts of violence would seem to translate into the London Underground being a fairly unattractive target. The suicide bombers set off their explosives in cars that were in dark tunnels which makes for lousy television images and did not achieve mass casualties on a major scale. A couple of suicide bombers at the changing of the guard at Buckingham Palace would have drawn far more attention in that respect. But the 7/7 attacks points to the evolution by terrorists towards economic targeting vs. mass killings. I believe that the goal of the terrorists was not some much to kill lots of civilians as to create so much fear about traveling in the mass transit system that daily life in London would be crippled in the kind of way New York City is right now as a result of the transit strike.

However, it turned out that the London Underground was far more resilient than the terrorists probably expected. This didn’t happen by magic. The British government made substantial investments in close-circuit television cameras that allowed them to determine who and how the attacks were carried out. The transit workers were well trained to respond to emergencies and the police, firefighters, and EMTs had conducted many exercises so they responded to the attacks quickly and professionally, reducing the loss of life. Finally, the British politicians did not overreact and the British people themselves showed the resiliency they had acquired after decades of IRA [Irish Republican Army] attacks, by getting back on the trains the next day. As a result of all this, I think in the future terrorist are likely to conclude that the Underground is not a soft target which is worth using their limited resources to take on.

In short, a priority in our war on terrorism should be for the federal government to take the lead on making critical infrastructures more secure, thus diminishing their attractiveness as targets. How far have we come since 9/11? The answer is not very far at all. We’re putting all our eggs into one basket, taking the battle to the enemy, getting better intelligence and extending the authority of law enforcement. Yet we don’t have much of a debate about the fact that the 9/11 Commission’s final recommendations on how to make the U.S. safer at home lay untouched in many cases, especially when it comes to spending wisely on first responders and hardening or building redundancy into key infrastructure. We have debates about the Patriot Act and Iraq, and sure, they warrant debate, but they don’t address the full panoply of issues that threaten Americans at home.

What about airports? Millions are using them as we speak for holiday travel. Are they safer?

There’s good news and bad news here. In terms of the 9/11 scenario -- men with box cutters commandeering an aircraft and turning it into a missile -- we’ve pretty much nailed that scenario. The most important change made is a change in passenger behavior. It’s unlikely passengers would allow that to happen anymore. But the major hole in aviation safety is air cargo. Almost a third does not move on UPS or other cargo lines. Rather, it’s in the lower deck of passenger lines and it’s an increasingly important revenue stream for air passenger carriers. The only thing happening to those cargo items is that they’re weighed to determine how much to charge. Other than that, it’s straight onto the plane. It’s a glaring problem going back to [the 1988 Pan Am] Lockerbie bombing [over Scotland] the opportunity to put into cargo holds an explosive device that takes out the aircraft.

Of course, that wouldn’t have the same affect of turning an airplane into a missile, and on its most basic level, to me, the most important things we did post-9/11 to improve aviation security were relatively simple and not very costly: locking cockpit doors and changing the behavior of passengers. To a large extend, the rest of it, all the passenger screening, etc., has only added much smaller increments of security.

Over the years, we’ve heard of efforts to target bridges and tunnels, particularly in New York City. Has progress been made securing these assets?

Very little has been done outside of improving some surveillance of the sites, mostly relying on surveillance cameras. It’s been very piecemeal and, in most cases, law enforcement officials won’t be near enough to react to an attack if a surveillance camera even picks it up. The main value of surveillance is looking for people scouting out and probing the security of a target. That means you’d have to have someone there to analyze the data you are collecting and they need to be able to connect the proverbial dots. Someone taking a picture of a bridge may just be an artist who wants to paint it. But someone taking a picture of five different bridges that have little aesthetic appeal should set off an alarm. However, across the country, the challenge of taking local law enforcement suspicious sighting reports and putting them together to form a common picture is something we haven’t accomplished yet.

Most importantly, when we talk about some of our critical bridges and tunnels, the ability to protect or to have spares on hand of key components and to nimbly respond when something goes wrong may be the best deterrent. Sabotage is always harder than it may first seem though it is a threat we should be increasing concerned about because al-Qaeda is developing the skills in Iraq to do it better. Invariably, when talking about major targets, the more public authorities and the operators exercise the more everyone understand the problems that would arise in an emergency. Again the ability to respond well is an important part of diminishing the appeal of attacking critical transportation systems as the Brits response to the subway bombing illustrated.

One formula that is sure not to work is our tendency only to surge protective measures when Washington believes it has the intelligence to warrant raising the general alert level. If we should have learned anything from 9/11 it is both the limits of our intelligence community and al-Qaeda’s ability to strike when our guard is down.

What about tanker trucks, trains, and other vessels carrying hazardous materials?

There is some improvement, but the basic, overall vulnerability remains largely unaddressed. Most of our rail travels through the heart of our cities, especially along the East Coast and in the older Midwest cities. They often transit right through the heart of communities and trucks do the same. Barges on inland waterways carrying dangerous cargoes move through large cities in heartland of the country as well. This should be a source of concern. So how do you deal with it? You don’t try to harden every truck, train, or barge. Instead, you think about re-routing the most dangerous cargoes away from population centers, sensitive economic and environmental areas. Where that’s not possible, industry needs to be more transparent about what they are moving with the public authorities in the communities they are transiting through who are involved in protecting and responding. There needs to be a more robust capability than exists today for the rail and truck industry to provide information to local authorities that lets them know what’s coming their way and what contingency they might face. Right now, in most case, all local emergency responders have to rely on are placards on the sides of trucks or rail cars. That’s often is too little too late. There has been some talk about tackling this issue, but so far, it’s mainly just talk.

What about the nation’s large container ports and cargo-handling areas along the various coasts and major rivers?

This has been such a priority for me because the cargo container, the forty-foot and twenty-foot boxes, are really the conveyor belt for our manufacturing and retail sectors. Our factories and stores have come to depend on a razor-thin inventory margins to stay competitive. That means there is the potential for tremendous economic fallout from a single incident involving a container, particularly a dirty-bomb kind of scenario, since our government’s response almost certainly would be to stop the movement of all containers while they sort out the attack and post-attack security. Still today, more than four years after 9/11, the federal government has not put together a plan for how to turn the transportation system back on should it be shutdown after a terrorist attack involving a container. The risk, then, is not so much loss of life or local damage, but literally that an incident could bring the global trade system to a grinding halt within three weeks as the U.S. closes its ports and develops a protocol on the fly to manage it. In terms of how to address this vulnerability, my focus is primarily on the ability to monitor the flows of containers and try to verify whether low risk is low risk or not. That way, if a terrorist incident happened, our public authorities would be able to focus their response to that part of the system where the breech of security took place while letting the rest of the system continue to flow. But if you rely essentially on a trust-but-don’t-verify system [where] you ask companies to be [responsible] but can’t determine if they really are, I worry that everything we defined as low risk will be redefined as high risk.

Again, it’s building resiliency here at home. We need to be able to not only throw a punch, but to be able to take punch, too. The president has not conveyed, in all his talk about doing whatever it takes, the need to inventory the most critical assets that support our quality of life and take the minimal steps to prevent vulnerabilities. Things like the New York City transit strike and natural disasters demonstrate how easy it is to disrupt our lives if the systems we depend on are compromised. If we learn anything from [Hurricane] Katrina, it should be that what you fail to do in advance sows the seeds of catastrophe. That lesson still seems to be unlearned.