America the Vulnerable: How Our Government is Failing to Protect Us from Terrorism

January 25, 2005

America the Vulnerable


JOANNE MYERS: Good afternoon. I'm Joanne Myers, and on behalf of the Carnegie Council I'd like to welcome you to our Authors in the Afternoon program. Today we're very pleased to have with us Stephen Flynn, the author of America the Vulnerable, and his book will be available for you to purchase at the end of the program today.

The events of September 11th made it quite obvious that the world is a risky place in which to live. The strikes, both in New York and Washington, highlighted the fact that our borders offer no effective barriers to those who are intent on bringing violence to our soil. Consequently, we need new ways of thinking about terrorist weapons and comprehensive security measures to protect us from future threats.

Despite the creation of a Department of Homeland Security to deal with potential attacks, it is Dr. Flynn's opinion that there remain a vast array of viable soft targets—such as our water and food supplies, chemical plants, energy grids, and pipelines, bridges, tunnels, and ports—just waiting for our enemies to hit. In fact, for all the concerns about safety at the nation's airports, counter-terrorism officials and other experts say the nation's ports may now present a greater threat. Our speaker today believes that it does not have to be this way. Although we may be making progress, he says, the measures we have put together to protect these vital systems are hardly fit to deter amateur thieves, vandals, and smugglers, let alone determined terrorists. His warning is explicit: much more needs to be done.

In America the Vulnerable, Dr. Flynn proposes a new framework for how we should deal with the post-9/11 world. Using his vast experience, he presents possible scenarios and suggests ways to tackle specific vulnerabilities, especially in the areas of trade, transportation, and border security, where we are the most vulnerable.

Dr. Flynn has been thinking and writing about these issues for some time. He is a recognized expert on homeland security, border control, global logistics, and maritime and transportation security. His experience in these areas began over a decade ago.

After graduating from the U.S. Coast Guard Academy, he spent twenty years as a commissioned officer in the U.S. Coast Guard patrolling our shores. He retired with the rank of Commander. He later served in the White House Military Office during the first Bush Administration and was Director for Global Issues on the National Security Council staff during the Clinton Administration.

In the fall of 1999, Dr. Flynn was invited to join the Studies Program at the Council on Foreign Relations His goal was to write a book on how border management must become adaptable in order to more effectively police people and goods moving at greater speeds through the international system.

Then 9/11 occurred and he was asked to serve as Project Director for the Homeland Security Task Force. The book is a result of those efforts.

In a time of homeland insecurity, as we forge through the various color alerts and question just how vulnerable we are, it is with great interest and pleasure that we welcome to the Carnegie Council the Jeane J. Kirkpatrick Senior Fellow in National Security Studies at the Council on Foreign Relations, Dr. Stephen Flynn. Thank you for joining us this afternoon.


STEPHEN FLYNN: Thank you. Thank you so much for coming today. I'm really honored to be able to have a chance to chat about an issue that I would argue we didn't talk about in this last election. As much as we had a "war on terror" as the abiding issue of the Campaign 2004, I would suggest that neither candidate addressed many of the issues that I raised in my book, that I am here to discuss today.

In fact, I would argue that they didn't address the core realities of 9/11. The terrorists were here. They didn't import a weapon of mass destruction; they converted something that we depended up on in our day-to-day lives, commercial planes, and turned them into one. And most of the costs, beyond the horrific loss of life, were things that we did to ourselves because we were spooked.

But rather than engage in that troubling set of problems, what we got was "the best defense is a good offense," that the only way to win the war on terror is to take the battle to the enemy—that if we do it over there, we don't have to fight them here. All very seductive. Unfortunately, not connected to the real world we're in, as illustrated by the events of 9/11.

We really had just competing variations of that theme. For one thing, the President is a little more state-centric; we want to make sure that states, whether the "Axis of Evil" or others, who are in the position of aiding and abetting terrorists get the message that's not a good idea. And then on the other side of the equation, we got more of a tactical approach, that if we can put together our law enforcement, our intelligence assets, and if we get multilateral cooperation, that somehow we can take the battle to the enemy more effectively that way.

But each candidate felt like they had to out-testosterone the other in declaring that they would kill the terrorists if they got their way, and we never got to really talk about the fact that America's very vulnerability, I suggest, invites catastrophic terrorism as a means of warfare, and that we're still not making much headway towards confronting that reality.

This I state as an up-front thesis. Quite simply, what we saw on September 11th is how war will be fought against advanced societies in general, and the United States in particular, in the 21st century. That is, the use of catastrophic terrorism directed at the non-military elements of our power, our civil society, the critical infrastructure that underpins our power, will be the way in which the warfare will play itself out in this century.

Now, I make that case in two ways. The first, particularly in the United States, is a dearth of alternatives. The United States will spend more on conventional military capability in 2005—that's our air forces, our navy, our armies, and our space-based assets—than the next thirty nations combined. By 2008 it will be more than the entire world combined. There has never been a time in human history where as much conventional military power has been concentrated in a single power, as the United States possesses today.

In fact, to put it into some sort of historical context, think about the British Empire when the sun never set. Their goal was two capital ships for every one that a great-power competitor might muster. Here the United States has more than everybody else combined, and it's lethal stuff.

That suggests to me there's only two possibilities in which you take on this particular power, and that is: either we have very dumb adversaries who confront it; or they adapt. As a student of military history, I suggest that adapting is probably what they will do.

It turns out there is another unique element of our current age that provides opportunity and motivation, and which makes us all in this mix together. It is that in the case of the United States its power is built primarily upon the wealth generation that comes from being attached to global networks of transportation, logistics, finance, energy, intellectual capital, and that these networks are essentially largely outside the reach of its jurisdiction.

So unlike the Roman Empire, which kept marching out and controlling the economic space over which it ruled, in the case of the United States, its wealth, the underpinning of the power, allows it to bankroll that military power. So what is due to its reliance upon these networks? Now, I would argue that over the last twenty years these networks were driven in terms of their progress in the international community with four imperatives in mind: how do we make them as open as possible; how do we make them as efficient as possible; how do we make them as reliable as possible; and how do we make their use as low-cost as possible?

And these were cascading: the lower the cost, the more users; the greater the need for efficiency and reliability, the more you could count on them, the more people use them. The problem, of course, was security was viewed in this context as raising costs, undermining efficiency, undermining reliability, and putting pressure to close the networks.

And so it turns out that acceleratively over the last two decades we have constructed these incredible global networks which have virtually no security built within them. In fact, we had a decided prejudice against putting it in there.

I describe my life pre-9/11, where I was working in the areas of maritime and transportation security and trade security, as like being a teetotaler at a New Year's Eve party. When I went around and said, "We've got a little problem here. You know, there are multi-ton shipments of narcotics that move through the system, there is every form of export control we ever dreamed up violated in the system, we have countries being routinely defrauded of their revenues because people lie about what they move in the system, we've got weapons of every choice moving throughout the network; we have people moving in boxes, some who are dying en route. I'm looking at this and thinking it's a little porous."

The response was, "Cost of doing business. Terrible thing that public good not being achieved in this network; but overall, just like major retailers do for shoplifting, you accept a certain level of malfeasance and you get on with the benefits of the system."

Now, there's a difference, of course, between exploiting the system and targeting the system. This is where the terror issue plays itself out. My concern is that these networks provide rich opportunity for exploitation and infiltration, but also for essentially carrying out attacks that undermine what is most critical to these networks' operation, which is trust. So again, the financial sector, all these other networks, at the end of the day require people to believe that there is more benefit from being attached to them than being detached to them, and that the harms that are essentially associated with them are less than the benefits overall.

This is a rather complicated sell to a general public who doesn't even understand the basic elements of globalization. And, particularly in the U.S. context, they appreciate the benefits without having much in the way of understanding how it all works.

And so when something goes wrong, like when a container with a weapon of mass destruction goes off in one of our streets—or more than one if it's al-Qaeda style—the response is simply to say: "Make it all go away. Stop the trucks, stop the trains, close the borders, make this stop." Explaining the complex cascading effects that that requirement leads to in short order is something that's a pretty hard sell to do when a public is traumatized and none of this has been worked out in advance.

So basically, whatever group is out there looks at these networks and sees that they are an open invitation for this kind of warfare to play itself out. And of course, the former al-Qaeda and its imitators are a particularly capable group to exploit these networks, and they have the incentive to want to create economic and societal disruption.

We should be thinking about how do we make these networks—not secure, because perfectly secure is not possible—but more resilient in the face of this risk. The stakes are very high. The risks are very high. We should make these networks far more resilient than they have proven themselves to be to date, as an act of not just U.S. policy, but clearly all of us who are vested in this as a part of collective effort by civilized countries.

But that is not what we have done since 9/11. I want to spend a few moments talking about why haven't we done this, and then talk a little about a prescription, how we can make this workable.

So why haven't we identified this? Why didn't we let this seep in? I think it's pretty straightforward to explain in the American context why there is such an appeal to this notion of taking the battle to the enemy. This is precisely how we've handled national security for over the last hundred-plus years.

If you think about this, in every nation in the world national security is really usually about two things: first, protecting the nation; and second, if there is any power left over, protecting its interests beyond its shores.

That's every nation but the United States, where national security only is about that second thing, projecting its power beyond its shores. The actual defense of the nation, protection of the nation, is something that the Pentagon simply doesn't do—in fact, has a real aversion to doing. In one of the chapters of my book I talk about my experience as a junior officer, a towboat captain working out of Norfolk, Virginia, where I was called in one day in 1985 to a meeting of the Commander in Chief of the Pacific Area because they had a terrorist threat directed against a returning cruiser named the USS YORKTOWN. This was 1985.

The question that was posed to me was how was I going to protect the USS YORKTOWN against this terrorist threat. So I find out that not only does the navy not protect the United States, it doesn't even protect itself when it's in U.S. waters. Not its business. Its business is protecting over there.

What we found instead, in the immediate aftermath of 9/11, was that we needed to have a conversation that said: this line between over there and here has really gotten blurred and we have to rethink what national security, and the huge allocation of resources we make to it, means in the context of a threat.

When the President stood before the Joint Sessions of Congress just ten days after the attack and announced that then-Governor Tom Ridge would be the new guy in charge of homeland security, you could almost see the collective sigh of relief by all the State Department and intelligence community and so forth. "Whew! We're not going to do that new stuff. We're going to do national security. This new thing, whatever it is, that's a homeland security thing."

And so the response we ended up with was essentially taking the way business is done in national security—which is marshaling a lot of military power, directing it at states—putting it on steroids and essentially going forth and doing that. And as for all this other stuff we said was homeland security, we cobbled together a few lousy, dysfunctional, broken agencies, put somebody in charge and said, "You take care of this new stuff."

When we actually look at the resources by comparison, we're talking close to half a trillion dollars on national security this year and about $20 billion new dollars for homeland security. It looks to be about a nickel on the dollar.

So when it comes to real investment, we haven't had a conversation about this as a new national security problem, saying, "If warfare is changing in this area, how do we go about it adapting to it?" We're basically saying it's a homeland security problem and traditional national security works on the same principles that it was geared to do pre-9/11.

Now, of course what's crazy about this is that homeland security ends up being pretty counterproductive because, as I mentioned at the outset, these are global networks, and so assigning the job of securing them to essentially a domestic-focused agency is a bit like hiring a computer network security manager who says, "I'm just going to protect the server next to my desk because it's way too complicated going out to those other computers; we'll just worry about this one." Such a person wouldn't hang onto his job long.

But the challenge here is these agencies, of course, are trying to secure a node of networks that in fact expand beyond our shores, which involves foreign policy, economic policy and other kinds of issues. But it doesn't have the charter to deal with those. And so not only are we not prioritizing it, but we're really mangling it by this approach that we're taking.

We have to come up with ways in which we could recalibrate and rethink this, to perhaps turn on its head this current paradigm of "the best defense is a good offense." I'm trying to make the case, in part, that maybe the best defense turns out to be a pretty good defense; that in fact by making our networks more resilient to the inevitability of terrorist attacks, when we are attacked there won't be mass disruption and huge costs evolving out of it. You start chipping away at the military value of engaging in catastrophic terrorism as a means of warfare.

For organizations that have limited resources, there is some risk in carrying out a terrorist attack. Every time you carry out an attack you leave bread crumbs; you basically leave indicators that allow us to, usually quickly and fairly efficiently, roll up the network of the organization that carried it out. We saw this in the Madrid bombing, where in the course of about ninety-six hours we pretty much got everybody.

It's almost impossible not to have that happen. And you have to evaluate, if you spent years developing a presence and a capability, whether you want to put it at risk for something that doesn't achieve much in terms of real value, except for making a statement.

And so, at a minimum, we can start to deter, I would suggest, the exploitation and targeting of the most valuable and most vulnerable things, because the risk of being successful is managed, and you end up with acts of violence, much like we end up with other crime and so forth, as a part of what we have to deal with in day-to-day life.

But to make this approach, to rely on building resilience, we need far more in the way of multilateral and global cooperation, but we very much need private engagement as well. This is a real problem it would seem to the Administration, because the Administration has stated in its homeland security strategy that there is "sufficient market incentive for the private sector to protect itself, and that the federal government's job is national defense and border security."

Now, unfortunately, we have three and a half years' of data which suggest that the private sector isn't protecting itself. That is, there are not serious investments being made in securing this critical infrastructure. I make the case that there is a pretty straightforward reason why. I get this mainly anecdotally from talking to a lot of CEOs and asking them "Why aren't you doing anything? This is a vital sector. Your company or your corporation, the lights will go out if, God forbid, something happens."

What you find out is that it really is a classic tragedy-of-the-commons problem. No single private-sector entity owns all of any critical infrastructure, they own a piece of it, and security is baseline cost. So I play out a scenario that looks like this. Imagine I'm a CEO or president or general manager of a marine terminal, and I drive in to work one morning, and I look at my rent-a-cop who's at the gate, who looks a little bit drowsy and a little too well fed. And I look at my chain-link fence that's not something that would intimidate the average fourteen-year-old, never mind a determined terrorist. And I look at the general chaos that's going on around me, where I really have no idea who comes in and who comes out.

So I come into my boardroom and I say, "By golly, I am not going to be the next Logan Airport, the next terrorist attack. It's not going to take place at my terminal. We're going to make security a priority in this company."

After I get through my tirade, my chief operating officer will say, "Okay, boss. This will involve cost, so where would you like to absorb those costs? Shall we pass them on to our customers and chase them to the piers next door? Or do I take it out of the bottom line and chase our shareholders away? Help me out with that one."

Then the chief security officer will say, "You know, these guys are reasonably capable. They don't do random attacks, they actually stake places out, so they'll see our terminal is pretty secure but the guys next door aren't, so they'll target them. But the whole port will get shut down anyway."

And the governmental affairs officer will say, "You know, after something like that happens, Congress loves to come up with nifty ideas of how to fix these problems that will likely look nothing like the investment we've made up front."

And finally, you will hear from the general counsel, "Sir, I would be very careful how you proceed. If we take these extra measures to secure ourselves but it turns out post the incident not to be sufficient measures, then it might seem that we have acknowledged a threat but not perhaps exercised sufficient due diligence in response to it. This is a very tenuous area here. I'd be very careful before I'd walk down this path."

So then it turns out the only rational thing for a CEO to do is to toss and turn at night and to focus on the bottom line during the day, because we haven't got the incentives in place for the private sector to engage, even though they own and operate most of this, in a constructive way.

So ultimately we need to be talking about arriving at standards, baseline standards, of making these networks more resilient, both in terms of ideally preventing these attacks should they happen, and, should they happen, being able to restore the networks very quickly so that disruptive economic consequences are mitigated.

That will require some concurrence amongst governments about what adequate security is. This is a key government role. The private sector is going to be unwilling to say what level of security is enough because, post the event, we are almost all as a public going to judge it and say, "You got it wrong." It has to be ultimately a political entity that decides where that cost/value/ security matrix is done.

It has to be anointed; the private sector has to be vaccinated from that. But the arriving at what's sensible has to have a private-sector voice, and it has to be done in this multilateral context. And guess what? Our U.S. government isn't constructed to do this. And it's not paying attention to it because it has put all its eggs in the "the best defense is an offense" basket.

I'm convinced that when we start looking at these networks and figure out how we make them more resilient, that we're actually going to find that we should have been doing these things even if there were no terrorist threat. In one network, for instance, just the need for dealing with pathogens; that needs a functional public health system operating on a global scale. Now, there may be people with malicious intent out there who are trying to spread germs, but there is plenty of naturally occurring stuff here to tell us that we need to do that in any event.

In the case of transportation and logistics, an issue I spent a lot of time on, many of the things that I'm looking for, which is visibility and accountability of networks, are things in the private sector that are called "supply chain visibility" and "asset visibility."

There are also public goods that I laid out at the outset that transcend terrorism: pilferage in the system, countering narcotics issues, illegal immigration, export controls, and a whole bunch of other things.

As a security professional thinking about and worrying about these things for a long time, I take it as axiomatic that no security will work at the end of the day unless it provides a dual benefit: either a public good or a private good. I make this case because anything that is solely about security ends up becoming static, as complacency sets in and a tenacious adversary figures it out and end-runs it. The only thing that it turns out actually works is to have an ongoing investment in keeping it alive and moving and adapting. That only happens when there is something else constantly rewarding that good behavior.

Not every single thing fits under that profile, but it turns out there's quite a bit. There's a lot that we could be doing and talking about in this conversation, not about "us vs. them," or "good vs. evil," but basically about how do we sustain our civil society in the context of this threat.

This leads to my final metaphor, which I borrowed from my public health community friends. In the best of all worlds, we would develop a vaccine to be able to deal with the HIV virus so that if anybody is infected we'd be able to root it out. Unfortunately, we know it's an incredibly complex virus that has the capacity to adapt and mutate and there are a lot of people infected right now. If we put all our eggs in the developing vaccine basket, we would probably not be serving ourselves very well.

Well, so what have we been focused on? It turns out if we do a little thinking about it, of course HIV doesn't kill; what it does over time is it compromises the immune system and the natural pathogens kill. So what has our prescription been in the medical community? To develop things to bolster the immune system to coexist with the virus, so instead of being a terminal illness it becomes a chronic illness.

I would argue that our immune system in the United States, the global immune system for advanced societies, is our civil society and the critical infrastructures that underpin our way of life and our quality of life. If we directed more energy towards bolstering those things, at the end of the day I think we would be in a far better position, making much more progress on the "war on terror" than the current path that we're heading down.

So with those words, and hopefully a little bit of provocation that they contain, we can get some questions. Thank you.

Questions and Answers

QUESTION: I want to ask the question that everybody seems to be asking, and nobody can come up with an answer: why hasn't there been a terror attack in the United States since 9/11?

STEPHEN FLYNN: I don't have a definitive answer, obviously, on this. Of course, one of the contentions I make overall is that in our current approach the mantra is that we'll have a threat-based risk management approach to protecting our homeland. Threat-based assumes that we have underlying intelligence that would actually support that. We've had pretty good documentation of late about how broken our intelligence services are. We don't really know much about this adversary; that's a problem, and it's going to be a long time probably before we get the capability to do that, to know more.

But the consensus amongst those of us who have spent a lot of time dwelling on this is that it goes back to a point I was making earlier, that they don't have unlimited resources, and the risk for them is that when they carry out acts they actually expose themselves to enforcement action. The consensus seems to be that more and more Osama is looking for acts that are not political statements, but that are more likely to cause economic and societal disruption. This requires a good level of sophistication. That is why I think we have rather overdone it on inaugurations and conventions, while behaving as though everything is okay the rest of the time. Politicians seem to think they're the only ones who are actually targets in this new world.

Initially there's a view that of course we did disrupt the command and control when we took Afghanistan away as an effective base and we made it difficult or impossible for Osama to communicate effectively. Most of the folks were trying to do things like truck bombs and so forth, and that's what we saw. They went into hotels and banks and other kinds of things. We saw these various actions.

But the thing that makes most of us more wary was the Madrid attack, which was largely a homegrown affair and showed a great deal of sophistication, a real understanding of political timing, and was extremely well executed. So it shows that, rather than just being managed from Pakistan or other faraway places, that in fact this capability is being developed indigenously. But again, as was also shown in Madrid, we were able to roll up very quickly. It seems clear that they want a more spectacular result than the last time and they're willing to take the time to do it. And so actually I don't think it's paranoia that informs us; the more time goes by, the more nervous I get.

There's a lot of easy things one could do. We all know that. Just walking around Manhattan or anywhere we go, we could say, "This mischief or that thing could happen." But those things are localized. You can kill people that way, and you can certainly create initial panic or whatever doing that, but to really actually affect systems takes a lot more planning and sophistication. I think they're capable of it. They have demonstrated a willingness to invest in efforts to get things like nuclear materials and so forth. So we shouldn't take this time as something to give us solace. It should be the other; we should be seizing the moment to try to do the very hard work of catching up with the two decades-plus neglect of threats that we didn't pay much attention to.

QUESTION: I understand what you are saying with all of this, but one of the things I think we really have to look at is that for most of our history we have not worried about an invasion of our shores. And even during, let's say, the 1950s and 1960s, when we had "mutual assured destruction," we worried more about intercontinental missiles than we worried about an invasion, so that we really didn't have to do much to beef up our defense on our own shores. I think we were focused outward and that was the trend of the American military. I think that has continued up until recent times, because we're still not terribly worried about an invasion of our shores by Arab militants or anything else.

But we have a couple of factors here. When we had some attempt made to protect ourselves against missiles through an anti-missile defense, we had individuals railing against this, saying, "We can't do that. You know, we have MAD [Mutually Assured Destruction] and all that kind of stuff. So we're not going to disrupt the situation by trying to come up with antimissile defenses."

But right now we have to look at another thing: to what extent are we really understanding what is happening with the so-called terrorist groups? Are they really terrorist groups, or are they something else? This is one of the things that is being discussed now. Michael Scheuer, now that he's no longer anonymous, has pointed out that we don't really understand what these groups are; or, if we do, we don't want to. There is an international strategy, an international connection here, that goes beyond trying to blow up something here or send planes into the World Trade Center.

Since we are vulnerable as you say, should we make ourselves into our own strategic state, almost a police state? I think that's what civil libertarians are worried about. Perhaps we don't need to go quite to the extent that you're talking about. We still have to focus outward, which is what the Pentagon has tried to do with this new secret team that's going to take the covert actions elsewhere.

STEPHEN FLYNN: Right. Well, let me begin by saying I think your analysis is dead on. It was rational how we behaved throughout the 20th century, to basically focus over there, because we live in the most peaceful part of the planet: friendly neighbors to the north and south, big oceans to the east and west. The threat if it came was from a missile. So that was a practical plan.

But I would suggest that we have failed to adapt to the fact that the adversary is more and more directed towards critical infrastructure or towards civil society at large, just because the military says that's not what they're prepared to do and that's not what they are willing to do.

And it would be fine that they are not willing or prepared to do that, if they would say, "We'll give you some of our resources because we know that's also important." But of course that's not going on either.

The basic analysis of these groups—and again, we're all grasping at straws a bit here—is that we're talking about thirty imitative organizations operating in about sixty countries of the world. We certainly know about them in Western Europe and in Canada; and we know there's some footprint here. So I'm not sure how these army commandoes are going to work in Madrid or in the United Kingdom.

It's not either/or in my argument here. I'm not saying all defense/no offense. But it's basically recognizing the limits of your offense. A military is not a very effective counter-terrorism force; it is going to take some while to get there. We don't have the underlying intelligence about these particular networks and it is going to take us probably a decade or more to get it. So you should have a fallback position in between if you have things that are very vulnerable and that are very fragile, because you haven't taken basic preventative measures.

Now, the next thing to address is this issue of a police state. I was trying to make this argument with the dual-benefit argument here. You know, in many cases it's not because security measures are just about security that they fail, but actually they are often simply counterproductive.

My illustration of this was learned as I was marching along the U.S.-Mexican border in 1999-2000. I would argue you couldn't design a better system to advance organized crime than what we developed to harden the border, to control it. Essentially what we did in hardening the border was we created a market working around the controls. There was more "informal behavior," politely put, which made it more difficult to police.

And so you get this cascading effect. Let me give you an illustration: Laredo, Texas. Laredo is a place you probably wouldn't stop if you didn't have to, but you have to because it's a border control point. When we hardened the border for all the incoming stuff, mainly stuff that comes from Monterrey, it made it so inefficient to go anywhere near the border that long-haul trucks created depots in northern Laredo where they could go and unhitch their load and then pick up a new load and go back into the interior.

The people who dealt with the short-loads were basically just drayage, Mexican labor who were paid $10 a load. There were mom-and-pop companies—this is where old trucks go before they die—who would perform this function: the truck would come to the depot, then the depot owner would contact a Mexican broker on our side of the border, who would hire somebody to pick it up to take it to the broker, who would make sure the paperwork and the revenues were collected; then he'd call another guy to pick up the load to take it to the border, to wait in the three-hour or plus queue to get across the border to drop it in another depot in Nuevo Laredo for a long-haul truck in Mexico to take it into the interior.

You think there's opportunity for mischief in this process? And, of course, if you came to the border, you'd say, "This is a lawless place. We've got to secure this." But it was the methodology of securing it there that actually was creating that environment. The other consequence, of course, was that you created the incentive for organized crime to become more sophisticated to work around it because it was more lucrative, so you could pay off more people because you wanted to smuggle your goods or your drugs or your migrants.

So really the police state direction—not only on the civil liberty front, but just as a practical matter—often just gets you in a lot more trouble.

The issue is to think about this less like security of gates, guards, and guns and more like safety. If you thought about safety 100 years ago and you talked to most captains of industry and robber barons, they would have said, "This is crazy. If you want to talk about workplace safety, product safety, environmental safety this is a cost issue you're imposing on me. You should stay out of my hair."

The reality was that as a more advanced industrial society developed, you had to figure out the productivity you got vis-?-vis the cost that could happen to human life and the consequences. And so you had to ask three questions: (1) what if an act of God or (2) what if human error or (3) what if mechanical error caused something to go wrong? You had to have demonstrated you had thought that through and, based on its value or the consequences, you had to build in some safeguards.

Today, this is a matter of course. We don't design buildings or any new system without thinking through those three questions. I suggest our new age is: what about if somebody with malicious intent targeted something? If it's of value, you have to think that through.

There are ways to do it without shutting it down. Just like you don't make safety an end unto itself, you make security just about: "There are people out there with malicious intent who will target these systems; what is a reasonable measure to take to manage that risk?"

If you do it right, I am convinced that you will actually get other dual benefits. Just like the quality argument of twenty years ago when everybody said quality was a cost issue in American boardrooms; "the customers won't pay for that; it's a tradeoff issue" Unique to the Japanese was they said: "Build it into the process; not only do you actually diminish the cost but it becomes a competitive advantage."

Security can be a competitive advantage too. Increasingly—and I say this to many overseas countries—you become a jurisdiction where the prospect of bad things happening is less than in other jurisdictions and in the environment of growing threat and uncertainty it's likely that market forces will move in your direction.

Or another illustration is Chile, not on the security issue but on food safety. As a result of the arsenic incident of many years ago, Chile now is identifying agricultural products with bar coding and RFID tagging so they can identify where every bit of the produce comes from. They're doing it thinking that increasingly, as food safety becomes more of a concern, Chile will be the place you want to buy it from because they can prove that it was handled under benign circumstances.

So it may be possible for us to get us out of thinking this is all about security as a police state versus not. It's about mature thinking about what the problem set is. There are things that we value that people of malicious intent will target, and how do we put our creativity together to think about putting adequate safeguards in place?

QUESTION: It would seem to me that if they really wanted to disrupt our society, a computer virus could disrupt not only electrical systems, commodity markets, stock markets, defense—everything. So how would you address that? And is their object just to kill on a grand scale, or do they want to destroy us internally?

STEPHEN FLYNN: Well, it is of course a mixed lot. This "terrorism" word has got a lot of baggage with it here.

I would say that a small group of them with some sophistication are thinking in terms of economic disruption. I'm making a general strategy here. It's a classic thing you do in the military. You don't necessarily have hard data to tell you something, but you put yourself in the other guy's shoes and you say, "If I were going to take on myself, how would I do it?" And "Whoa, I could get huge benefits," It's hard for me not to think that somebody else would bump into that particularly if they're angry at the United States and they want to take some action to express that anger. Osama has been more articulate about this and I suspect it is going to be a growing trend.

As other evidence of this I would point to something that was lost after the Madrid attack. It happened just four days afterwards in the port of Ashdod in Israel. Palestinian suicide bombers hid themselves in a container with a hidden wall and they came into the port. And, unlike here in the United States and virtually everywhere else in the West, where they actually open empty containers to see if there's anybody in them, in Israel they say, "It's just the wall," so they close it, they let it in. These guys burst out and they went after a chemical storage facility there in the port, with the hope of blowing it up. They were intercepted by eight Israelis, who were killed in the process along with them. There was an AP report about it that disappeared very quickly. The fact that there was terrorism in Israel seemed not particularly newsworthy, and we had Madrid in all the headlines. But my point is that this was not a wedding, it wasn't a commuter bus, it wasn't a caf?. This was exploitation of the infrastructure and directed at infrastructure. I think this is potentially where some of these folks are going.

Now on to cyber. I think there's sort of a "good news, bad news" here. There are parts of this thing that make me very nervous.

The good news of sorts is that cyber is at war every day. When the hackers get really good, we hire them back, out from under, to help us put a defense in place for the kinds of things they and their comrades do. And so many places are actually fighting this battle day-in day-out.

There are parts of the network that are particularly worrisome, and there are clearly parts, like infrastructures for water supplies and other things, that are less protected because they haven't been probed as much. The skill sets are being pretty well developed and it is an ongoing capability.

Y2K also certainly brought this into focus and built some of the government-private information cooperation framework that doesn't exist at all in some of these other sectors. So I focus more on the hardware issue. My nightmare scenario, which is one that comes from spending a lot of time talking and seeing how this operates, is a hardware kind of thing. The scenario I lay out in chapter 2 of my book, called "The Next Attack," involves essentially four dirty bombs: one here in Port Elizabeth; another on the Ambassador Bridge, the world's busiest commercial crossing between Windsor, Ontario, and Detroit, Michigan, where virtually all our automotive industry moves their stuff back and forth; the other is in the Port of L.A.; and the last is in Miami, in the Free Trade Zone. These four dirty bombs go off.

The response by the U.S. government is to immediately close all our seaports and to close the borders. The longshoremen won't work. The Teamsters won't drive the trucks. The mayors are saying, "I don't want any trucks and trains coming into my city," because the terrorists come on Al-Jazeera about six hours later and say, "We have three nukes, not dirty bombs, that we'll set off if you don't get out of the Middle East."

The cascading effects are that within two weeks the entire global trade system essentially collapses. It's because essentially this all has to keep moving to keep moving. I describe it as like being at the bottom of a very long escalator and tripping, and then everything comes crashing down. When we close our seaports, essentially all the ships that were destined to unload goods have to anchor out. Then the terminals overseas, particularly in places like Hong Kong and Rotterdam and Singapore, have to close their gates immediately to all incoming trucks because they have no place to put them; they will be in the cement mix bowl of containers. That means every truck and train coming into the terminal is stuck with a container on its back with no place to go. That means back at the factory with goods to ship there's no truck or train to pick it up.

The service agreements are typically to deliver overseas shipments between 14 and 21 days. Nobody has a plan for when you can't meet the deadlines, that solves how people are going to get paid. None of this has been reconciled before.

And so you're talking about an event in one part of the sector—and it probably doesn't even have to happen here in the United States for this to work, because we now have this International Ship and Ports Security Code, the ISPS Code, where we've raised all the alert levels up, which has the same effect of basically putting the whole system into gridlock, with those kind of consequences.

Now, I look at that scenario and I say: If all it takes is something like that to shut down the global trade system, that's probably a pretty attractive possibility to do. But it turns out shutting it down like that only works well when we can't identify that the bulk of things moving are actually not high-risk. That happens when we have the system we have today, which is this "trust but don't verify" kind of approach to moving everything around. If I could identify very quickly where those things came from that caused the problem and I could isolate the parts of the system, just like the Chilean grapes, then I don't end up having to shut the whole thing down, and then the advantage of doing this starts to go away.

So cyber is absolutely an issue, as all these infrastructures are. They are driven by those four imperatives I've talked about here. We've made some headway with Y2K and the fact that they're constantly under assault. For some of these other sectors nobody has really begun to do any real work, and that's why it worries me.

QUESTION: On a more municipal subject, if a homeless man can get in and start a fire in our electrical system that shuts down two subway systems for maybe a year, it's appalling what a terrorist could do.


QUESTIONER: So obviously we're not terribly well prepared for this.

STEPHEN FLYNN: No. There are a number of examples I could provide of lack of security or lack of capability that we have. But it does also highlight again the sort of dual-benefit argument here: Look, we're going to have people do this kind of thing, and these systems are very valuable to the way we live. The problem is the cost of my putting into place the measures that I need to protect the system vis-?-vis the benefit that accrues to the people who depend upon it; we have never found a good market way to make that all work well.

QUESTIONER: One thing would be just locking the door.

STEPHEN FLYNN: Locking the door would make a big difference. For example, the two biggest improvements for aviation security are: (1) harden the cockpit door; (2) change the behavior of the passengers. Everything else has been largely extra, at huge cost. You know, if you have the chance before things happen, you can think rationally about it.

I'm talking about the issues of the infrastructures, and all of this sounds very nitty-gritty. At the end of the book I really try to highlight that my biggest concern isn't actually the risk of potential loss of life, as terrible as it is—we lost 43,000 people on our highways last year—I mean there are lots of numbers and dangerous things that happen in our society; nor is it the economic wealth in the near term or medium term. My main concern is our democratic institutions themselves.

I very much worry that the biggest danger is not what terrorists can do to us, but what we can do to ourselves when we're spooked. My basic argument is that I can't guarantee that our government won't overreact, or our citizenry won't overreact if we take prudent measures to rein in this risk, to build our resilience. But I guarantee they will overreact if we do not. It is directly proportional.

And I would argue we are in a much more dangerous time right now than we were on 9/11. On 9/11 we really only had one horror. It was the horror of that day, the loss of life and the loss of landmarks. But we didn't have the horror of gross government incompetence, because we all rallied around the fact that our fire fighters, our mayor and our policemen and so forth did under tremendous circumstances an extraordinarily admirable job. If that had happened in virtually any other city in this country, without some of the capabilities that New York, and particularly Manhattan and lower Manhattan, possess, it might have been much worse. But what if Americans had seen two things, tremendous loss of life and gross government incompetence in response? Now it's even worse because we've been saying to the American people for the last three-and-a-half years: "Everything that can be done has been done. You can shop and travel. Rest assured your government is on watch and has got this under control."

It turns out we see that the most commonsense things have not been done, that outside of Washington, D.C., there's not a single fire department or police department that share the same radios today, that in fact in an organization like the Customs and Border Protection Service that's responsible for policing folks, only 11,000 out of 41,000 people have computers tied to an Internet. The other 30,000 have to dial up to America Online or some variation thereof.

In Manhattan we do not have a plan yet in the fire department for how we deal with a dirty bomb in our city. It's a work in progress. Today the U.S. government has a plan to shut down all our ports but doesn't have a plan to open them back up again. I could go on and on with these kinds of things.

Imagine how the public would respond post these events—and of course all the lack of preparation will come out; we'll put it all under a spotlight, we'll put it under a magnifying glass, the Blue Ribbon Commission will roll in.

I have an opportunity to testify again tomorrow before the Senate Homeland Security and Governmental Affairs Committee—it's got a new name—before Senator Sue Collins and John Lieberman about where DHS is going. It will be the thirteenth time since 9/11 that I have testified. In my twelfth time, which I did after the 9/11 Commission's Report, I was so frustrated, looking up at the dais with these Congressmen looking at me like deer in front of the headlights, saying "There were problems?" that I said, "You know, this is the twelfth time that I've testified on these issues. I hope I'm not just providing fodder for the next Blue Ribbon Commission that's going to come in here and just replay this tape."

The Committee Chairman said, "You haven't testified before us before." I found that very reassuring. It is that kind of reality that's out there. So what's the risk? The risk becomes that we think this core function our government is supposed to do is being taken care of.

I am convinced that Americans don't expect perfect security; I think we can live with risk. We just expect, though, that prudent methods have been taken to deal with this. If we find out that they haven't been and that we've been essentially sold a bill of goods to a large extent, then I think we could overreact, and then our politicians are likely to overreact in anticipation of our reaction with demagoguery and so forth, and we get ourselves in a real jam.

QUESTION: I don't know if you can comment on it, but I was wondering if Israel had dealt with these issues to any great extent, or at they still at large dealing with similar issues as we do, except on a much smaller scale? Obviously, the size of Israel makes things very different.

STEPHEN FLYNN: Israel is such a challenging case study because it is such an extraordinary and unique set of circumstances, but there certainly are lessons to be learned.

One is very much this issue of resilience, which I'm trying to drive home; not perfect security, not defense, but resilience. You know, it really is beyond a point of pride. It's a sense that this is how you have to deal with this. When the caf? goes up, after you clear it up, everybody comes back to the caf? the next day. It's a sense that you're not going to allow these acts to change your life and how you go about life. That's very much in the Israeli character.

There also, of course, is just a general awareness that's built into everybody along the way. Virtually all terrorist attacks are not stopped by special forces, the police, and so forth; they are stopped by bus drivers and passengers and restaurant owners and livery drivers, who see what is always the case: behaviors of people about to kill themselves and kill others are different from people who are trying to eat a meal or enjoy the camaraderie of friends. So there is an awareness there that exists. It's an acceptance to some extent of a bit of inevitability, but it's a proof of resilience.

I would suggest there is another model, which is Britain and how it dealt with the IRA; same kind of deal. Or Britain during the Battle of Britain; pretty terrifying stuff having missiles fall out of the sky on you. And yet, at the end of the day the military futility of doing that proved itself: first, they weren't actually hitting targets, their accuracy was terrible; but secondly, they were actually rallying the British people.

That issue is much different from how the Brits viewed it in the 1930s. Chamberlain was convinced that with any attack on British soil the country would fold; that's why he believed in appeasement to a large extent, thinking if they have that ability, we have to stop war at all costs. I would argue that his paternalism didn't appreciate the character of his own people. I accuse many of our leaders of having the same thing. I get so angered by the notion we shouldn't square with the American people about this because we'll panic them; they'll stop shopping and traveling.

My response was that on 9/11 here in New York, where I was, like I expect many of you, I did not see people acting like little movie extras in a Godzilla movie. I saw the very best of the American people, with no federal government in sight. It is not the case that with a little bit of scary news, or even the actual event, that we turn ourselves into headless chickens. The reality is that we turn out to be pretty damn resilient. Maybe treating us like adults instead of like domestic pets might be the way in which we ought to go.

Part of this is the legacy of the Cold War, when this was a very tenacious adversary we were dealing with; the stakes were enormous, thermonuclear war; and everything ended up in this cone of silence and an ongoing process, a closed network of this national security state. Not much you or I as citizens could contribute to the process out of our cash to bankroll it. So we pursued happiness and the security state secured us.

It's hard for them to acknowledge the extent to which, no matter what they can do, they cannot in fact do enough to protect the most likely targets of this, which is us. And so I make the case in the end here that we, the people, provide for the common defense; that's one of the things we put in the Preamble to the Constitution. If our government knows, members of our government know, that they in fact cannot provide for our common defense in the face of this threat, they have an obligation—I would argue a constitutional obligation—to square with us.

Then we may decide we will live with the risk. Or we may decide: No; spend more resources to fix the risk. But we as a democracy are deprived of that conversation, of making that judgment, when people behind closed doors are saying, "It's too hard, too expensive, too frightening, to deal with that threat. We'll deal with this one that we're more comfortable with. But we don't tell anybody about it."

QUESTION: Talking about resilience and containment, don't you need to write a better playbook for the media?

STEPHEN FLYNN: Absolutely. There are two processes. Actually, I commend you to something the Council on Foreign Relations got engaged in. There's a movie out called "Dirty War," which just played last night on HBO, and I'm sure it will again. They're actually giving it to PBS, which I think is extraordinary, the first time they've ever done it, and it will be aired on February 23rd.

"Dirty War" is about a hypothetical al-Qaeda attack on the city of London involving a dirty bomb. It's made by one of the best documentary directors in England. He has made an extraordinary film. We at the Council decided to show it, since it was felt that there was an education value to it beyond just a scary movie kind of thing. I went in, with some skepticism, to watch it. I was really struck with the authenticity which they captured. The director got tremendous cooperation from people below the radar screen to make the story. At every opportunity to sensationalize, he went in the other direction.

So the media sometimes can serve as a useful public education tool if they get it right. It becomes absolutely essential because that's where we get most of our information from. And so I've made the case to some of the network anchors that instead of having the pretty face as the best guy you can get, you need to have people who actually provide expertise up front.

You know, we all scoffed at the ready-dot-gov campaign, with the duct tape and so forth. We're now increasingly cynical about the information that government provides. I think the only corrective for that is to rely on employers, frankly, to help transmit the information. People are not at a point where they will trust the information that the government gives them about what prudent measures they should take to protect themselves in the face of this stuff.

I think our only sort of next-tier hope is employees saying: "Look, this is sensible stuff. Here's information I'm putting my imprimatur behind. I'm somebody who is vested in who you are. These are things that you should have"—maybe even help them have it—"and these are protocols that we'll implement when these events happen." If you don't do this sort of psychological preparation and information sharing up-front, if it doesn't come from people who are perceived as credible sources, we're in a world of hurt.

I think the media is doing this up to a point, but we all know that's a polarized view too. We're not going to get everybody through employers, but we can make a big, big jump forward if we had leaders of companies. At the Council we have in fact advertised our own film that we made internally, which is on the Web and can be downloaded. We figure we should practice what we preach. We have a whole "this is how you prepare" segment. We're a fairly small organization, yet we have a list of things, such as ready cash to give people if something goes wrong, so if ATM machines go down they can get money; we have phone trees set up; we have all these kinds of things. They're little things, but they are things that can provide a great deal of comfort when something goes wrong. That is at the end of the day what we really need to begin to do.

I'll finish with a quote I have in the book here. It is one that has served as some source of inspiration for me throughout my process here as I work on these issues. They are words by our greatest President as crisis manager when he said the following: "The dogmas of the quiet past are inadequate for the stormy present. The occasion is piled high with uncertainty and we must rise to the occasion. As the case is new, so we must think anew and act anew. We must disenthrall ourselves and then we shall save our country." That was Abraham Lincoln in a letter to Congress in December 1862. He had a way with words. Thank you very much.

JOANNE MYERS: Thank you. We can only hope that after your fourteenth visit to Washington somebody will listen and pay attention. Thank you for being with us.

blog comments powered by Disqus

Read MoreRead Less