July 27, 2003
The Congressional report on the 9/11 attacks spells out very clearly the systematic flaws in our national strategy for combating terrorism.
The recent report of the Congressional joint investigation of the 9/11 attacks is re-igniting discussion of intelligence failures. I'm still working my way through the report, but it is obviously a consensus product -- the result of a process almost guaranteed to reinforce, rather than challenge, expand or illuminate conventional wisdom. Never mind the extensive redactions and deletions, it is my impression that even the Top Secret version of the report contains little information that differs from the public understanding about the attacks. Bland and innocuous attention is paid to the relations between the FBI, CIA, NSA and DIA (charmingly referred to as the "Intelligence Community" which is like referring to the Hatfields' and the McCoys' neighborhood as a "rural community"), or the numerous missed opportunities (and several clearly existed) for at least robbing the suicide attackers of their initiative or at best apprehending them and preventing the attacks entirely.
There are no surprises of substantive value to anti-terrorism policy, nor are there any conclusions that differ greatly from views already aired in public opinion before the end of 2001.
Three observations on the report:
- The concept of "intelligence failure" obscures a hard truth about systemic failures being normal, not exceptional events.
- The underlying and unexamined assumption that all terrorists attacks are preventable is not only unjustified but dangerous. A close reading of the report actually reveals why terrorist acts are not preventable.
- The underlying extrinsic purpose of reports like this is restoring "confidence in the system" not changing it and the bedrock intrinsic purpose is confirming a pre-existing consensus power sharing arrangement.
Reaffirming the power structure
Taking the last point first, reports such as this one have a normative function of telling everybody that despite the jetliners crashing into building, presidents being assassinated (ala the Warren Report), tankers sailing into rocks and discharging oil over hundreds of miles of beaches (Exxon Valdez, Torrey Canyon, etc. ad nauseam), chemical plants poisoning thousands (Bhopal) or pipelines, space shuttles, ammunition depots, volcanoes and nuclear power plants exploding, melting down or otherwise causing undue excitement, everything is really okey-dokey and people can go back to sleep and let their betters continue with the arduous, thankless but extremely enriching process of running things however they see fit. Everything is under control.
It is only in the rare instance -- Richard Feinmann's performance during the Challenger inquiry being the example that comes to mind -- of a maverick actually asking hard questions and demanding unpleasant answers does a disaster post mortem actually produce meaningful results. In nearly all instances, the real function of these ceremonies is to reconfirm pre-existing power relationships and perhaps negotiate a low-ranking scapegoat or two. Lee Clarke has done a splendid job of describing the charade of disaster planning in his book Mission Improbable [see our earlier review here] and the charade of disaster post mortem is essentially the same.
The most revealing feature of the findings is that the establishment consensus does not support any meaningful organizational or systematic changes to counter-terrorism except to shovel more money off to unaccountable, uncooperative, evasive and antiquated agencies. This is actually reassuring because sometimes these reports are used as the excuse to promote massive power shifts and fundamental changes of government.
It could have been worse. After all, this is the same establishment who saddled us with the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001. They might have recommended appointing Dick Cheney as emperor for life or something. For this we give humble thanks.
Comprehending the incomprehensible and controlling the uncontrollable
Terrorist attacks are a special category of disaster. Unlike accidents, earthquakes, violent storms, and such, terrorism is an intentional activity. Like its cousins war and crime, terrorism is a planned and purposeful activity. Unlike warriors but like criminals, terrorists conceal their identities from their targets. Unlike criminals but like warriors, terrorists pursue secondary goals -- the immediate results of terrorism are a means to a goal, not the goal itself.
Unlike open warfare, deterrence of terrorist attacks is indirect and very lopsided. Given the characteristic concealment -- or more precisely the "loose coupling" between terrorist actors, terrorist supporters and terrorist beneficiaries -- it is often very difficult to determine what reaction to a terrorist attack is the optimal one. History is replete with examples of terrorist targets reacting in ways that seem rational and supportive of self-interest that turn out to be highly contrary to self-interest and even desired by the terrorists. The assassination of Archduke Ferdinand triggering the outbreak of WWI is a classic example. Serbian ultranationalists (the Black Hand) support terrorists in the Young Serbia movement to increase tensions with the Austro-Hungarian empire. Germany eggs Austria on with a promise of unqualified support and kablooey! When the dust settles, both Germany and Austro-Hungary are politically and economically shattered. Shrewd.
The implicit promise of the 9/11 report and the various power shifts in the federal bureaucracy like the creation of the Homeland Security Department is that terrorism is preventable by military and law enforcement action. Individual terrorist attacks may be preventable, but terrorism itself is not going to be eliminated by purely reactive and essentially military policies. Furthermore, terrorism concentrates on striking vulnerabilities. It is a continuously evolving contest of strategies and counter-strategies. For a successful "spectacular" strike (one that exploits previously untested vulnerabilities) to succeed, all that is required is for the counterterrorism program to have a blind spot or point of inertia where the attackers are not expected. It is absurd to think any large institution like a national counterterrorism program will be fast enough and flexible enough to never fail in prevention. As long as there are terrorists with the will and resources, no military or law enforcement program will be fault free.
But that is the underlying assumption of pin-pointing the "intelligence failures" of 9/11. Snuggled under the blanket of security rhetoric is the assumption that terrorism is always preventable and that a sufficiently complex system of safeguards will be foolproof. It's a dangerous assumption. Not because military and law enforcement activity lack value -- they are clearly necessary -- but because they do not address all of the aspects of successful anti-terrorism. The danger lies in believing the "intelligence community" possesses a panacea. It does not. Military and law enforcement strategies are insufficient. Counter-terrorism (essentially warfare against terrorists) can often extend terrorist conflicts in both space and time.
One result of successful attacks can be to pointlessly escalate flawed strategies and get trapped into a vicious cycle of trying harder and harder at pointless and debilitating activities. This is precisely the conditions which lead to the defeat of counter-terrorism strategies and the success of terrorism.
"Normal Accidents" and the unreliability of complex systems
Terrorism studies frequently refer to "low probability/high consequence events." The 9/11 attacks were exactly this sort of situation. They exploited systematic failures in security. These failures are inherent in complex systems. Charles Perrow has written extensively on what he calls "normal accidents" -- low probability/high consequence events in complex systems which are unpredictable and unavoidable in the long run. The newspapers call them catastrophes and disasters.
Perrow's insight is that systematic failures are more common than most people think. System failures are often masked by phrases like isolated incident, human error, impossible to predict, astronomical odds, etc. In retrospect, it can be relatively easy to pinpoint where a disaster could have been prevented.
The Titanic could have sailed a few miles farther south. The repeated failures of the o-rings in Space Shuttle boosters could have postponed launches during cold weather. Archduke Ferdinand could have been early or late in Sarajevo and avoided the assassin. The Purple intercepts could have reached the War Department in time to alert Pearl Harbor that an attack was expected. Pigs can fly if you throw them hard enough.
All this retrospective "what if" misses the point. The failures of 9/11 were systematic failures. The hallmark of a "normal accident" is everything that can go wrong does. Consider the statement of the Counter Terrorism Center (CTC) supervisor quoted on page 151 of the declassified 9/11 report:
"[E]very place that something could have gone wrong in this over a year and half, it went wrong. All of the processes that had been put in place, all the safeguards, everything else, they failed at every possible opportunity. Nothing went right."
This is a classic description of a "normal accident." The findings and recommendations of the 9/11 report treat the attack as an abnormality that can be addressed by looking at the specific failures -- mostly in communication and coordination -- of the U.S. counter-terrorism program. What the report does not address or even recognize is that systematic failures are normal and not exceptions.
Many features of high-risk systems that are prone to "normal accidents" are typical of counter-terrorism programs:
High risk - terrorism is the intentional creation of disasters. Counter-terrorism is a high risk activity because small mistakes can have enormous consequences.
Interactive complexity - system failures can interact in unexpected ways or create cascading events which rapidly move beyond participants understanding or control.
Non-redundant sub-systems - Intelligence is continually balancing the need to know with the need for security. The most common solution is the compartmentalization of information and operations and tight restrictions on "need to know." Compartmentalization in large organizations -- or networks of organizations -- creates bottlenecks and situations where the success or failure of the entire organization rests in a tiny part - the "for want of a horseshoe nail" problem. Conversely, duplication of effort can lead to competition for resources, internal friction, wasted effort and loss of security. There is no solution to this problem. The risks can be minimized but they can't be eliminated.
Tight coupling - a tightly coupled system has little 'slack' at critical points. One form of tight coupling is feedback, where sub-systems have strong influence on each other. This can be positive feedback, as when a mistake is rapidly transmitted through the entire organization. Or it can be negative feedback where permission to act is slow or hard to obtain. Typically, terrorist networks (at least those that survive for very long) have numerous "buffers" or "cut-outs" which create looser coupling at the price of diminishing centralized control. The Iraqi resistance networks attacking U.S. soldiers and sabotaging the energy infrastructure appear to be very loosely coupled. The counter-terrorism establishment, particularly the FBI, is very tightly coupled.
Incomprehensibility - normal accidents (or systematic failures) are not just unexpected, they are also usually incomprehensible as they occur. Ambiguous or incomplete information can prevent understanding, or more often, create false understanding. Terrorists reliance on stealth and concealment relies on maximizing the incomprehensibility of their actions. In many cases, misunderstanding is more likely to contribute to a catastrophe than not understanding because it takes much longer to correct something that already exists than to create something that is seen as lacking. "Everybody knows" is often a sign that nobody understands.
Organizational issues - there is an unavoidable conflict in large organizations between the need to independently take strong actions rapidly and the need to coordinate actions through centralized control. The larger the organization, the greater the opportunity for situations to arise where conflicts between independence and coordination will create unavoidable dysfunction.
The Congressional report reflects none of these realities. The findings and recommendations are all rooting in the belief that minor and incremental changes -- turning a screw here, a bit of duct tape there, a new color-coded system of signaling the level of panic in Washington DC -- are all that are necessary. Everything is fine, go back to sleep.
And everything will be fine. Until the next systematic breakdown of security occurs. Then a little more duct tape, a turn of the screw, etc.
In fact, the national risk posed by terrorism has been reduced -- somewhat. The gaping security flaws that enabled jetliners to be used as guided missiles have been corrected to a considerable extent. Heightened surveillance and counter-terrorism intelligence will yield some positive results.
But in reading the report, it is glaringly obvious how little was being done, how little awareness there was of the trend towards mass casualty and catastrophic attacks by Al Qaeda and how little anyone inside the system could do to overcome the inertia and bureaucratic resistance to change.
And that is where the real risk lies. Terrorists are flexible in their strategy, adaptive in their tactics, loosely coupled in their organization. In an asymmetrical conflict, the odds will continue to favor them. The key to understanding is recognizing successful attacks are low probability / high consequence events. Terrorists can fail repeatedly, but their success hinges on being able to pull off the long-shots, they can fail 99.99% of the time and still continue to hold the initiative by succeeding to get through once in a very great while.
And that is where we need to pay more attention. To "consequence management" -- essentially humanitarian operations aimed at healing the trauma of the rare successful attack, showing mercy and kindness to the victims, preventing mass-psychosis from moving us up another step in the ratchet of reprisal and revenge. Instead, we are told that we will benefit from increased repression, fear-mongering, reactive aggression and increasing destabilization of the international scene.
That's not winning against terrorism, it's joining it.