 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
Notes for a speech
by Jacques Duchesneau, President and CEO
Canadian Air Transport Security Authority (CATSA)
4th Annual International conference on Public Safety, Technology and Counter Terrorism
Check Against Delivery
March 14, 2005
San Francisco, California
Introduction
I am delighted to be with you today. The choice of a meeting place is not accidental, for we are very close to Silicon Valley, the Mecca of new technology. That makes this an excellent occasion to discuss the role of information technology in the fight against terrorism. As President and CEO of CATSA, this is obviously a subject of great interest to me.
A changing world
Since the events of September 11, 2001 CATSA's priority has of course been the fight against terrorism. The terrorist attacks taught us that terrorism is a weapon that can kill on a grand scale and sow chaos worldwide. But above all, 9/11 taught us that terrorism is a cancer eating away at the very foundations of our society.
We are working without respite to cure this disease. We are doing whatever is necessary to fight terrorism effectively and make aviation safe. Granted, our enemy is difficult to fight but he is not invincible. As military strategist Sun Tzu said, " If you know the enemy and know yourself, you need not fear the result of a hundred battles.1"
So we have to know the enemy. We have to know how he thinks, and what his methods and tactics are. We are already familiar with so-called traditional terrorists. They support causes that, more often than not, involve territorial claims or left-wing ideologies.
While these traditional terrorists are still around, we now have to take into account a new kind of terrorist. What is this "new" terrorism? Paul Wilkinson, an eminent expert in the study of terrorism, writes, "This 'new' international terrorism . is more difficult to monitor and combat because it is much more amorphous and diffuse than other varieties of terrorist phenomena. Instead of well-defined organizational structures, with hierarchies and chains of command common to the more traditional terrorist movements, the 'new' groups are typically part of a shadowy network of militants operating transnationally. Instead of relying on a cadre of professional full-time terrorists to carry out operations, they mobilize part-timers, 'amateurs' or freelance activists, often with respectable day jobs and with no police record of involvement in extremist violence.2" Like a virus, terrorism mutated over the past few years, but this mutation began well before 9/11.
Unlike traditional terrorists, these "new" terrorists have no interest in negotiating. They do not want to change the system; they want to destroy it. While traditional terrorists were motivated by social and/or political objectives, and were ready to use violence to wrest concessions from governments, today the situation is much more complex and much harder to manage. The "new" terrorism is punitive, has no clear demands, and is based on millenialist or extremist ideologies. Since negotiation is now impossible, the fight against terrorism has been profoundly changed.
Over time, terrorism has also become an increasingly effective political weapon. One would have to have a malicious turn of mind to prove that the events of September 11, 2001 were inconsequential. For those events not only shook the American superpower to its core; they resulted in the declaration of war on terrorism, and they led to the war in Afghanistan, the war in Iraq, the fall of Saddam Hussein, and many other events in the Muslim world.
The more recent incident of March 11, 2004 in Madrid also demonstrates the potential political impact of terrorism: as a result of the attack, Spain withdrew its troops from Iraq.
The new terrorism also uses different methods from those of traditional terrorism. Our enemies today are ingenious: they work away every day at devising new ways to outsmart our security systems. On the one hand, they want to find our weaknesses, and on the other hand, like the practitioner of aikido ( martial arts), who turns the enemy's weight to his own advantage, they want to use our strengths against us.
The spread of information technology has intensified this trend. Using the new tools at their disposal, terrorist groups can now organize more effectively, but they can also deploy new vectors of threat. As James Fallows puts it, "Technology has changed the balance of power; it is easier for even a handful of people to threaten a community than it is for the community to defend itself.3" By using our strengths-information technology-the terrorists have put one more string in their bow, and have become an even greater threat.
Infosphere and cyberspace: firing the popular imagination
I now put this question to you: what is the terrorists' main target - governments? institutions? critical infrastructure? civilians? All of these are targets, true, but they are really oblique strikes at their real target-the human mind, the popular imagination, the collective psyche. What terrorists seek above all is to disorder normal social activity, through terror.
And what better way to attack the collective psyche of a modern society than through the media? By reporting news of attacks, the media are made into unwilling accomplices of the terrorists. They become the vectors of fear. The terrorists' ultimate target is attained through the use of the weapon known as the 'infosphere'. That word refers to the information realm, which includes broadcast, print and other media, as well as word-of-mouth reports4.
With the advance of information technology, cyberspace has also joined that realm. Cyberspace is virtual space in which digital information is circulated5, and it has revolutionized the way that information is exchanged, disseminated, processed and stored. Infosphere and cyberspace go hand in hand; messages flow freely between the infosphere and cyberspace, greatly complicating the management and security of information.
This close relationship between infosphere and cyberspace is exploited often by terrorist groups nowadays. By disseminating their propaganda on the Internet (cyberspace), they attract media attention (infosphere) and attack our collective psyche. The best example of this technique is the way terrorists have made videotapes of executions and posted them on the Web. By showing images of hostages being killed, the terrorists quickly capture the public's attention and produce a psychological impact even before the news of terrorists' violent actions is picked up by the media and the rumour mill and relayed through the infosphere.
Our dependence on technology is a security failing
The nineties saw the dizzying rise of these new technologies. They have certainly had a great influence on society generally, and on the security community in particular. In the context of CATSA's mandate, the importance of information technology cannot be denied. Biometric screening is a good example of an application of IT.
Increasingly, biometric technology will be used to screen employees and passengers. This will enable us not only to ensure that the people who work in our airports are reliable but also to separate legitimate travellers from illicit ones, very quickly and with a minimal margin of error.
Similarly, the new communications systems born of advances in information technology have enabled security agencies to coordinate their activities more effectively. Thanks to email, cellphones, mobile radio, IP telephony, and electronic surveillance, we can now monitor operations in real time and thus act more effectively in a crisis.
Generally speaking, it must be admitted that technology has given us tools that have made our work more effective, faster, and easier. As Kim Vicente writes, "Given this abundant knowledge of both the physical world and of technological possibilities, we might expect our problems with technology to decrease, not increase6." Unfortunately, that's not always the case. Technology has its limits. And it also has serious security failings.
One example of the technological limitations in security can be found in the tragic events of 9/11. A few minutes after the South Tower of the World Trade Centre had collapsed, the local authorities, fearing that the North Tower would collapse as well, ordered the firefighters to evacuate the World Trade Center. Twenty-one minutes later the North Tower collapsed, killing 121 firefighters who were still inside. That morning, the fire department's communication system most likely failed. Many firefighters never received the order to evacuate the building, and they perished7.
Another factor that must be taken into account is our growing dependence on technology, especially computers. Any IT security specialist will tell you that no computer is 100% foolproof-unless it's never been taken out of its box or turned on. Modern online networking has its benefits but it also has its share of weaknesses. With all the hackers and kiddie script on the Web, no system can be perfectly safe. As Jim Settle, the former Director of the FBI Computer Crime Squad, once said, "You bring me a select group of 10 hackers and within 90 days, I'll bring this country to its knees8". Knowing that hackers have increasingly powerful tools at their disposal that require increasingly less expertise to use, we have to wonder if it would still take as many as 10 hackers to bring a country to its knees.
When just a few lines of code can unsettle a whole society, the growing collaboration between hackers and criminals is increasingly cause for concern. The systematic use of spyware (programs that collect information on the computers they infect) by criminal organizations is clear evidence that we are dealing with a new breed of villains9.
In the fight against terrorism, we must never forget that the enemy has the same technological tools as we do. IT professionals have gradually come to realize that the tools they have invented are being used to plan and coordinate terrorist attacks10. Their fears are justified, for it has been demonstrated over and over again that the September 11th terrorists used sophisticated communication technologies in planning their operation. We also know that the Madrid bombing was orchestrated entirely in an online discussion group11. This shows us that since terrorist activities now transcend borders, the world's security agencies must do the same.
But the technological threat goes even farther. Eventually we are almost guaranteed to witness acts of 'cybertage' (computer sabotage) or even cyberterrorism. Why do I say this? Simply because the computer is a stealth weapon. It is cheap, effective, and the ideal support to physical attacks. "IT attacks can amplify the impact of physical attacks and lessen the effectiveness of emergency responses. . The increasing levels of social and economic damage caused by cybercrime suggest a corresponding increase in the likelihood of severe damage through cyberattacks12."
All the reports tell us that al-Qaeda has a very good knowledge of current information technology and is willing to exploit it to its full potential. In his studies of cyberterrorism, Dan Verton reports that al-Qaeda's use of modern technology to support its operations dates back to the early 1990s. Recruitment and training were done very carefully, similar to how a military organization would assess volunteers for special operations units. At first, al-Qaeda's computer science program focussed on technology as a command and control tool. More recently, the organization's computer science efforts have focussed on using advanced information technologies as a tool to study target vulnerabilities, including the use of the Internet as a weapon system13. Thus, al-Qaeda has dramatically improved its technological capabilities over the past few years. It has been innovative, technically and technologically, in developing new weapons to use in its avowed aim of threatening Western societies. The question is no longer if we will be the victim of an attack using information technology, but when, and if we are ready to respond to the threat.
Just beefing up security won't be enough. We must improve security. Increasing security is just a matter of degree, and the result protects us only to a degree. Improving security, on the other hand, implies an increase in quality that makes it possible to meet challenges to security. To improve security, it is essential that we be innovative. Effective security is a work in progress; ongoing improvements make it possible to respond in real time to problems and address weaknesses that otherwise would be detected by criminals and terrorists. Clearly, we are working in a very demanding field. We do not have the luxury of error. Just a single misstep could easily bring disaster. That's what happened on September 11, 2001. And it must never happen again.
New management methods for the digital age
There can be no doubt that information technology will continue to be a central concern, either as a tool to increase the effectiveness of our security measures or as a security risk. But all too often, we forget that behind all the technology there are people-the ones who work day after day in the field and have to deal with increasingly complex security challenges. They are the people who operate the highly sophisticated systems and face the day-to-day challenges to security, especially in aviation. And the way we manage security must take this human factor into account.
As John L. Hennessy, David A. Patterson and Herbert S. Lin write in Information Technology for Counterterrorism, "Technology is always used in some social and organizational context, and human culpability is central in understanding how the system might succeed or fail. The technology cannot be examined in isolation from how it is deployed. Technology aimed at assisting people is essential to modern everyday life. At the same time, if improperly deployed, the technology can actually make the problem worse". The spread of terrorism is one example. "But if technology is used well, it can reduce the potential impact of terror14." Thus, it is critical for us to think about the way we manage the relationship between security and technology. New approaches must be developed to integrate technology with our activities.
Take information management, for example. We have to ask ourselves whether the usual tendency of managers to 'push' information down the line is really the most efficient way to work. Perhaps pooling information so that the members of the organization can 'pull out' the information they need to work would be better. It would probably save security organizations from being bombarded with irrelevant details and would definitely would prevent duplication of information management and distribution tasks.
The 'pull' style of information management is an excellent introduction to network management. We have to ask ourselves if we can't take a lesson from the terrorists. Our security structures have to deal with the new reality of today. It is essential to reorganize the way we operate and to decentralize our operations as much as possible, to create a networked organization. For only by working in a network can we effectively combat terrorists who work in a network.
It is also important to ensure that the members of this network have the qualifications required to meet modern challenges. Clearly, this means that we need highly competent people who know how to make the most of the new technological tools. Obviously, these tools have the potential to be effective but they have to be handled by competent people, to prevent the notorious 'user error'.
Conclusion
US Ambassador Paul Cellucci recently expressed concern that a terrorist attack could be launched at the United States from Canada. Because I share this concern, we at CATSA are making it our business to deploy all the means at our disposal to fight terrorism effectively. To prevent this kind of disaster scenario, our attitude must be more than proactive; it must be pre-emptive. To defeat terrorism, the best defence is a good offence. We have to shadow the terrorists so closely that we can anticipate their intentions before they have time to develop a plan of attack. In short, we must understand that the face of terrorism is changing and the methods we use to fight it must change too.
While this talk is mainly about terrorism, I have to say that there are a number of other threats we face as well, such as cross-border crime. Criminal gangs are increasingly efficient and capable of extending their tentacles into all regions of the world. And the airports are often used as their way to penetrate new 'markets'. That is something we absolutely want to stop.
And then there is the myriad of day-to-day challenges every air transport security agency has to deal with-theft, lost children, bogus bomb threats, fires, sick passengers, customs procedures, lost luggage, and so on. Aviation security must meet all these challenges, while treating passengers courteously and obligingly.
The message I hope you will take away with you is that while technology can do a great deal for the security community, it also poses problems. Since we do not want to repeat the mistakes that made the events of 9/11 possible, we have to start thinking, right now, about the weaknesses in our technologies and their potential impact. If we start thinking along those lines, we are bound to find solutions that will enable us not only to make our security organizations stronger and more effective, but also to take the lead in the fight against terrorism.
Thank you.
1 Sun Tzu, The Art of War , http://www.military-quotes.com/downloads/aow.pdf
2 Paul Wilkinson, "Enhancing Global Aviation Security", in Paul Wilkinson and Brian M. Jenkins (ed.), Aviation Terrorism and Security , Frank Cass, Portland , 1999, p. 151.
3 James Fallows, "Success Without Victory", The Atlantic Monthly , January-February 2005, p. 82.
4 Jacques Baud, La guerre asymétrique ou la défaite du vainqueur , Éditions Du Rocher, Paris, 2003, p. 40.
5 Ibid ., p. 41.
6 Kim Vicente, The Human Factor: Revolutionizing the way People Live with Technology , Alfred A. Knopf Canada , 2003 . p. 14.
7 John L. Hennessy, David A. Patterson and Herbert S. Lin (ed.), Information Technology for Counterterrorism: Immediate Actions and Future Possibilities , The National Academies Press, Washington D.C. , 2003, p. 53.
8 Chris O'Malley, "Information Warriors of the 609th (The Air Force's 609th Information Warfare Squadron)", Popular Science , July 1997, at 74.
9 See: Spencer Swartz, Secret Service: Fraud Threatens Economy , (site visited February 22, 2005 ), URL: http://www.bizreport.com/news/8691/
10 Ed Yourdon, Byte Wars: The Impact of September 11 on Information Technology , Prentice Hall, Upper Saddle River , 2002, p. 108.
11 Douglas Frantz, Josh Meyer and Richard B. Schmitt, "Cyberspace Gives Al Qaeda Refuge", LA Times , August 15, 2004 , p. A1.
12 John L. Hennessy, David A. Patterson and Herbert S. Lin (ed.), op . cit ., p. 4.
13 Dan Verton, Black Ice: The Invisible Threat of Cyber-Terrorism , McGraw-Hill, Emeryville, 2003, p. 86.
14 John L. Hennessy, David A. Patterson and Herbert S. Lin (ed), op . cit ., p. 7.
