Compensating Controls: Snatching Victory From the Jaws of Defeat
On May 1, 2010, smoke was observed in Times Square in New York City, emitting from a sport utility vehicle laden with an improvised explosive device. After authorities disarmed the device, an investigation began to uncover the identity and whereabouts of those responsible for assembling and attempting to detonate the device. As a result of the investigation, Faisal Shahzad was identified as a suspect, placed on the Transportation Security Administration’s (TSA) no-fly list, and later captured after he attempted to fly to Dubai on Emirates Airlines.
Authorities are calling this capture a success: the bomb did not detonate, no lives were lost, and a suspect is in custody. Yet just four months prior, the White House cited “totally unacceptable” systemic failure after Umar Farouk Abdulmutallab was unsuccessful in his detonation of plastic explosives concealed in his underwear during a Christmas Day transatlantic flight to the U.S. Both scenarios seem similar: failed explosion, no lives lost, suspected perpetrator apprehended. Yet, the first is a “failure” and the second a “success?” How can this be? Politics aside, I think there is an answer.
Know the Purpose and the Value of Your Controls
When implementing strong security, it is important to understand the various types, purposes, and relative effectiveness of various controls. Generally, controls are either administrative (applied to willing participants to set guidelines), detective (applied to raise awareness of particular activity) or preventive (applied to stop a particular activity from occurring). These tend to blur together in some instances, but the TSA uses many at airports:
- Signs are posted to instruct passengers on procedures, lines are formed to guide passengers through screening stations (administrative)
- 3 oz. fluid containers are voluntarily placed in a clear plastic bag (detective)
- X-ray, full-body scanners and metal detectors (detective)
- No-fly list, selective screening designations (detective)
- Baggage is not loaded unless a passenger boards an aircraft (preventive)
Generally, preventive controls are necessary when dealing with uncooperative threat agents (think fences, guard dogs, and locked doors). Administrative controls are best at setting expectations or raising awareness for cooperative threat agents (awareness helps to keep intentional or unintentional threats from arising from trusted employees). Detective controls serve a primarily investigatory or forensic purpose, and are often helpful in reconstructing events after the fact, although sometimes useful to initiate investigation before a threat can have an impact.
In both of these attacks — the Christmas Day attack and the May 1, Times Square bombing attempt — both attackers were successful in initiating the attack. For this reason, each effort by law enforcement should be deemed a failure to some degree, and a near-success on the part of the attackers. What is important, going forward, is that authorities review their controls, ensure that they are properly covered, and that they are identifying areas where the attackers got close to success, so that such incidents can be more effectively prevented in the future.
The Value of Compensating Controls
With a clear understanding that both attacks are ultimately near misses, it still seems appropriate to consider the Christmas Day attack a failure on the part of the Department of Homeland Security (DHS), while the latter Times Square incident is a success for the DHS. The difference, I believe, hinges upon both the target of the attacks, as well as the expectation for protection on the part of the security controls applied.
In the Christmas Day attack, Abdulmutallab planned to execute his plot on board an airliner, which is ostensibly a directly protected asset. On the contrary, Shahzad targeted New York City’s Times Square, which is much less tightly controlled than airports. In the former, there is an expectation of safety — air passengers submit to detailed screening and physical searches before being granted entry; in the latter, there simply is not the same level of invasive security applied to visitors. A successful attack within the protected environment behind the airport security checkpoints, therefore, tarnishes the apparent capability of the extreme security measures that have a high public expectation of success. Times Square does not carry the same expectation of safety.
However, I believe that the more important failure at the time of plot execution was that the administration has set an expectation that detective controls such as the no-fly list will act as preventive controls — at best, they can only stop known threat agents. Much could be said about the ineffectiveness of TSA policies and procedures — certainly many of my peers in the security industry have commented at length on this topic. The administration was fortunate in both cases to catch the suspects (perhaps more so with Shahzad; Abdulmutallab was observed by passengers to be smoldering), but expecting layer upon layer of detective controls at the execution phase to be the most effective in foiling attacks is the real loss.
From Quantity to Quality
We see that many controls of lesser effectiveness (those applied at an attack’s execution, or after) can result in some degree of mitigation, if not prevention. As more controls are layered (even those controls that provide incomplete coverage), the chances that targeted behavior is controlled (either detected or prevented) increases. But organizations should not constrain their security programs to operate only in one area (attack execution vs. intelligence predicting possible attack) if possible, nor should they limit themselves to one class of control (detective, preventive, etc.).
This applies not only to physical security, but also to network security, where network awareness and strategic intelligence about emerging threats and attack patterns can better prepare an organization for future attack trends. Security principles applied to any scenario should be an assortment of each kind of control, covering as much breadth of the attack life cycle as possible, with a preference toward the early stages whenever possible. Layering for quality of controls, and not just quantity, applies resources in the most effective manner, and will steer security programs toward more proactive security management, and fewer near misses.
Finally, I cannot say enough about the ability for vigilant, aware, and intelligent people to speak up when they notice something amiss. In the case of Times Square, that would be Aliou Niasse, the street vendor who noticed smoke coming from the bomb-bearing car parked near his stall. Despite his self-professed poor grasp of English, and lack of minutes on his prepaid cell, he knew that he had to take action to alert police.