National Security Risk Analysis Dr. Greg Parnell Professor of Systems Engineering Department of Systems Engineering United States Military Academy at West Point gregory.parnell@usma.edu & Senior Principal, Innovative Decisions Inc. gparnell@innovativedecisions.com

Disclaimer The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Army, the Department of Defense, Innovative Decisions, Inc., the National Research Council, or the Department of Homeland Security.

Agenda What is our U.S. National Security Strategy? What are the sources of national security risk? How do natural hazards and intelligent adversaries differ? Are natural hazard risk analysis techniques appropriate for intelligent adversaries? Can we model and use terrorist values and objectives? How should we analyze the risk of attacks from intelligent adversaries? What knowledge should a national security risk analyst team have?

U.S. National Security Strategy

Agenda What is our U.S. National Security Strategy? What are the sources of national security risk? How do natural hazards and intelligent adversaries differ? Are natural hazard risk analysis techniques appropriate for intelligent adversaries? Can we model and use terrorist values and objectives? How should we analyze the risk of attacks from intelligent adversaries? What knowledge should a national security risk analyst team have?

Risk of WMD in the National Security Strategy. Protect our enemies from threatening us, our allies, and our friends with WMD. “the greater the threat, the greater the risk of inaction” “Biological weapons pose a grave WMD threat because of the risk of contagion that would spread disease across large populations and around the globe” The National Security Strategy of the United States of America, The White House, March 2006

Risk terms (threat, vulnerability, and consequences) are used frequently. Threats (42) WMD (Nuclear, Biological, and Chemical) Global Terrorism Opportunistic aggression (regional security) Pandemic Vulnerability (1) DHS is “focused on three national security objectives: preventing terrorist attacks within the U.S.; reducing America’s vulnerability to terrorism; and minimizing the damage and facilitating the recovery from attacks that do occur” Consequences (7) Proactive counterproliferation efforts and improved protection to mitigate consequences of WMD use When the consequences of an attack with WMD are potentially so devastating, we cannot afford to stand idly by as grave dangers materialize. The National Security Strategy of the United States of America, The White House, March 2006

Agenda What is our U.S. National Security Strategy? What are the sources of national security risk? How do natural hazards and intelligent adversaries differ? Are natural hazard risk analysis techniques appropriate for intelligent adversaries? Can we model and use terrorist values and objectives? How should we analyze the risk of attacks from intelligent adversaries? What knowledge should a national security risk analyst team have?

Intelligent Adversaries Preparedness and Prevention Intelligent adversary (terrorism) risks are different than natural hazards. Natural Hazards Intelligent Adversaries Terrorism Information Security Historical Data Some historical data: Record of several extreme events already occurred. Very limited historical data: 9/11 events were the first foreign terrorist attacks worldwide with such a huge concentration of victims and damages. Extensive historical data for existing systems Information systems are under continuous attack. Difficult to predict attacks for new system designs. Risk of Occurrence Risk reasonably well-specified: Well-developed models for estimating risks based on historical data and experts’ estimates. Considerable ambiguity of risk: Terrorists can purposefully adapt their strategy (target, weapons, time) depending on their information on vulnerabilities. Attribution may be difficult (e.g. anthrax attacks) Ambiguity of risk: Attackers can access data not known to users or information security specialists. Attribution difficult. Geographic Risk Specific areas at risk: Some geographical areas are well known for being at risk (e.g., California for earthquakes or Florida for hurricanes). All areas at risk: Some cities may be considered riskier than others (e.g., New York City, Washington), but terrorists may attack anywhere, any time. All areas at risk: Internet provides connectivity for attackers as well as user. Information security only as good as weakest link. Information Information sharing: New scientific knowledge on natural hazards can be shared with all the stakeholders. Asymmetry of information: Governments sometimes keep secret new information on terrorism for national security reasons. Some sharing but strong incentives not to share. Organizations have incentives to keep confidential attacks to avoid loss of customer confidence. Event Type Natural event: To date no one can influence the occurrence of an extreme natural event (e.g., an earthquake). Intelligent adversary events: Governments may be able to influence terrorism (e.g., foreign policy; international cooperation; national and homeland security measures). Intelligent adversary events: Governments can influence, some international cooperation and national measures. Preparedness and Prevention Government and insureds can invest in well-known mitigation measures. Weapons types are numerous. Federal agencies may be in a better position to develop more efficient global mitigation programs. Attacks are numerous and growing in sophistication. Modified form Kunreuther, H. and Michel-Kerjan, E (2005), “Insuring (Mega)-Terrorism: Challenges and Perspectives”, in OECD, Terrorism Risk Insurance in OECD Countries, July (modified first two columns and added third column). Parnell, G. S., Dillon-Merrill, R. L., and Bresnick, T. A., 2005, Integrating Risk Management with Homeland Security and Antiterrorism Resource Allocation Decision-Making, The McGraw-Hill Handbook of Homeland Security, David Kamien, Editor, pp. 431-461

Agenda What is our U.S. National Security Strategy? What are the sources of national security risk? How do natural hazards and intelligent adversaries differ? Are natural hazard risk analysis techniques appropriate for intelligent adversaries? Can we model and use terrorist values and objectives? How should we analyze the risk of attacks from intelligent adversaries? What knowledge should a national security risk analyst team have?

Some key questions for risk analysis of the threat of WMD. Purpose Who uses the risk assessment? What do they use the risk assessment for? How does it support risk management? Data collection Who are the subject matter experts (SMEs)? Can we access the SMEs? What are the terrorist objectives? What are the agent/weapon threats? How do we deal with asymmetry of threat information? Modeling Are natural hazard techniques (e.g., event trees) appropriate for intelligent adversaries? What can we learn for information assurance risk analysis? Are other techniques available? Should terrorist decisions be model inputs or outputs? Who provides the probabilities? How do we assess the probabilities? What consequences should be considered? How do we model the consequences? Presentation How should we present the risk to decision makers and stakeholders?

Decision tree calculations with notional data. An intelligent adversary trying to maximize consequences would select Attack A.

A canonical intelligent adversary problem to compare risk analysis techniques. Event Tree Decision Tree Adversary attack (terrorist) Select target Select biological agent, nuclear weapon, chemical agent Acquire, deploy, and employ agent/weapon Consequences Attack success or failure Detection Interdiction Vulnerability Consequences given attack Consequence management Attack Attack Consequences Consequences Colleagues Howard Kunruether and Tony Cox contributed to this formulation.

Event tree calculations with notional data. Attack B contributes 84% of the risk.

Mission Oriented Risk and Decision Analysis (MORDA) supports the information assurance design process. MORDA PROCESS Hardware Adversaries Adversaries & Software System Lifecycle User Develop, Operations Mission Design Evaluate Select Integrate, & Support Options Design Design & Maintenance Needs Deploy Risk Assessment Attack trees Risk Management Multiple objective decision analysis Attacker Mission Support Service Providers Optimization and Cost/Benefit Analysis Countermeasure design options Mission Integration Adversary Support & & Attack Service Provider Analysis Model Models Model SOCRATES Model Buckshaw, D. L., Parnell, G. S., Unkenholz, W. L., Parks, D. L., Wallner, J. M. and Saydjari, O. S., “Mission Oriented Risk and Design Analysis of Critical Information Systems,” Military Operations Research, 2005,Vol 10, No 2, pp. 19-38.

Agenda What is our U.S. National Security Strategy? What are the sources of national security risk? How do natural hazards vs. intelligent adversaries differ? Are natural hazard risk analysis techniques appropriate for intelligent adversaries? Can we model and use terrorist values and objectives? How should we analyze the risk of attacks from intelligent adversaries? What knowledge should a national security risk analyst team have?

Terrorist Acts Suspected of or Inspired by al-Qaeda 1993 (Feb.): Bombing of World Trade Center (WTC); 6 killed. 1993 (Oct.): Killing of U.S. soldiers in Somalia. 1996 (June): Truck bombing at Khobar Towers barracks in Dhahran, Saudi Arabia, killed 19 Americans. 1998 (Aug.): Bombing of U.S. embassies in Kenya and Tanzania; 224 killed, including 12 Americans. 1999 (Dec.): Plot to bomb millennium celebrations in Seattle foiled when customs agents arrest an Algerian smuggling explosives into the U.S. 2000 (Oct.): Bombing of the USS Cole in port in Yemen; 17 U.S. sailors killed. 2001 (Sept.): Destruction of WTC; attack on Pentagon. Total dead 2,992. 2001 (Dec.): Man tried to denote shoe bomb on flight from Paris to Miami. 2002 (April): Explosion at historic synagogue in Tunisia left 21 dead, including 11 German tourists. 2002 (May): Car exploded outside hotel in Karachi, Pakistan, killing 14, including 11 French citizens. 2002 (June): Bomb exploded outside American consulate in Karachi, Pakistan, killing 12. 2002 (Oct.): Boat crashed into oil tanker off Yemen coast, killing 1. 2002 (Oct.): Nightclub bombings in Bali, Indonesia, killed 202, mostly Australian citizens. 2002 (Nov.): Suicide attack on a hotel in Mombasa, Kenya, killed 16. 2003 (May): Suicide bombers killed 34, including 8 Americans, at housing compounds for Westerners in Riyadh, Saudi Arabia. 2003 (May): 4 bombs killed 33 people targeting Jewish, Spanish, and Belgian sites in Casablanca, Morocco. 2003 (Aug.): Suicide car-bomb killed 12, injured 150 at Marriott Hotel in Jakarta, Indonesia. 2003 (Nov.): Explosions rocked a Riyadh, Saudi Arabia, housing compound, killing 17. 2003 (Nov.): Suicide car-bombers simultaneously attacked 2 synagogues in Istanbul, Turkey, killing 25 and injuring hundreds. 2003 (Nov.): Truck bombs detonated at London bank and British consulate in Istanbul, Turkey, killing 26. 2004 (March): 10 bombs on 4 trains exploded almost simultaneously during the morning rush hour in Madrid, Spain, killing 191 and injuring more than 1,500. 2004 (May): Terrorists attacked Saudi oil company offices in Khobar, Saudi Arabia, killing 22. 2004 (June): Terrorists kidnapped and executed American Paul Johnson, Jr., in Riyadh, Saudi Arabia. 2004 (Sept.): Car bomb outside the Australian embassy in Jakarta, Indonesia, killed 9. 2004 (Dec.): Terrorists entered the U.S. Consulate in Jeddah, Saudi Arabia, killing 9 (including 4 attackers). 2005 (July): Bombs exploded on 3 trains and a bus in London, England, killing 52. 2005 (Oct.): 22 killed by 3 suicide bombs in Bali, Indonesia. 2005 (Nov.): 57 killed at 3 American hotels in Amman, Jordan. 2006 (Aug.): More than 25 arrested in plot to blow up jetliners between London and U.S Global Incident Map http://www.globalincidentmap.com/home.php  Terrorism Knowledge Database www.tkb.org/home.jsp http://www.infoplease.com/ipa/A0884893.html

Characteristics of Past Al-Qaeda attacks Focus on strategy U.S. and our allies Seek high consequences Meticulous planning to maximize probability of success Execute multiple attacks Suicide attacks

“the attacks benefited Islam greatly…" Expected Outcome: "I was thinking that the fire from the gas in the plane would melt the iron structure of the building and collapse the area where the plane hit and all the floors above it only. This is all that we had hoped for." http://www.cnn.com/video/us/2001/12/13/bin.laden.high.cnn.med.asx

Can we model terrorism (Al-Qaeda) values and objectives? Is Al-Qaeda rational? Al-Qaeda’s objectives (911 Commission) Elimination of foreign influence in Muslim countries Eradication of those deemed to be "infidels“ Elimination of Israel Creation of a new Islamic caliphate Remove ‘infidels’ from Middle East Principal stated aims (http://www.infoplease.com/spot/al-qaeda-terrorism.html) Drive Americans and American influence out of all Muslim nations, especially Saudi Arabia Destroy Israel Topple pro-Western dictatorships around the Middle East Unite all Muslims and establish, by force if necessary, an Islamic nation adhering to the rule of the first Caliphs.

Al-Qaeda Training Manual focuses on strategy, operations, and tactics. Page 14 Page 15 http://www.usdoj.gov/ag/manualpart1_1.pdf http://www.fas.org/irp/world/para/aqmanual.pdf

Agenda What is our U.S. National Security Strategy? What are the sources of national security risk? How do natural hazards and intelligent adversaries differ? Are natural hazard risk analysis techniques appropriate for intelligent adversaries? Can we model and use terrorist values and objectives? How should we analyze the risk of attacks from intelligent adversaries? What knowledge should a national security risk analyst team have?

There are many national security risk analysis decision makers and stakeholders. State Local Private Citizens Strategic Our Focus Operational Tactical

Combining Consequences Several modeling decisions must be made to provide effective risk analyses that support national homeland security decision-makers. Run time Model complexity Frequency of attacks Terrorist Decisions US Decisions Uncertain Events Consequences Combining Consequences Source: Discussions with colleagues on NRC Committee

Several modeling decisions must be made to provide effective risk analyses that support national homeland security decision-makers. Run time Model complexity Frequency of attacks Terrorist Decisions US Decisions Uncertain Events Consequences Combining Consequences Real-time (Minutes) Transparent, simple models tailored to available data Ignore Scenarios Not modeled Mortality Not combined Hours Use meta-models developed for best available national models Time until first attack Probability distributions Deterministic (parameter) Morbidity Convert to dollars Days Distributed modeling using best available national models Multiple attacks Decision made to maximize some objective(s) Probability distribution Economic Combined with value function Weeks Black box with unvalidated, unverified, and unaccredited models Game theory models Probability distributions on probabilities Psychological Combined with utility function Months Attacker-Defender models Environmental Source: Discussions with colleagues on NRC Committee

Red teaming or seminar games can provide very important insights. Run time Model complexity Frequency of attacks Terrorist Decisions US Decisions Uncertain Events Consequences Combining Consequences Real-time (Minutes) Transparent, simple models tailored to available data Ignore Scenarios Not modeled Mortality Not combined Hours Use meta-models developed for best available national models Time until first attack Probability distributions Deterministic (parameter) Morbidity Convert to dollars Days Distributed modeling using best available national models Multiple attacks Decision made to maximize some objective(s) Probability distribution Economic Combined with value function Weeks Black box with unvalidated, unverified, and unaccredited models Game theory models Probability distributions on probabilities Psychological Combined with utility function Months Attacker-Defender models Environmental

Red Teaming ~ Structured Qualitative Inquiry ~ Detailed study plan (vignette, data collection plan, clearly identified study issues, elements of analysis) scenario, moves, counter moves assessments World class Red and Blue experts Expert study director, skilled in facilitation Transparence: data collection  observations  findings  conclusions Objective: Is our analysis framework robust enough to capture potential actions of intelligent adversaries?

Three adversary risk analysis modeling techniques. Terrorist decision tree Game theory Attacker-Defender models

Game theory and risk analysis. Run time Model complexity Frequency of attacks Terrorist Decisions US Decisions Uncertain Events Consequences Combining Consequences Real-time (Minutes) Transparent, simple models tailored to available data Ignore Scenarios Not modeled Mortality Not combined Hours Use meta-models developed for best available national models Time until first attack Probability distributions Deterministic (parameter) Morbidity Convert to dollars Days Distributed modeling using best available national models Multiple attacks Decision made to maximize some objective(s) Probability distribution Expected value Economic Combined with value function Weeks Black box with unvalidated, unverified, and unaccredited models Game theory models Probability distributions on probabilities Psychological Combined with utility function Months Attacker-Defender models Environmental

Combining game theory and risk analysis. No Attack Single Attack Multiple attack Stockpile C11 C12 C13 Stockpile + Biosurveillance C21 C22 C33 Stockpile+ Biosurveillance + Key personnel C31 C32 Everyone C41 C42 C43 Banks, D. and Anderson, S. (2006). "Game Theory and Risk Analysis in the Context of the Smallpox Threat," in Statistical Methods in Counterterrorism, ed. A. Wilson, G. Wilson, and D. Olwell, Springer-Verlag, NY, pp. 9-22. Vicki Bier, “Choosing What to Protect”, http://www.usc.edu/dept/create/assets/001/50760.pdf

Attacker-Defender Models. Run time Model complexity Frequency of attacks Terrorist Decisions US Decisions Uncertain Events Consequences Combining Consequences Real-time (Minutes) Transparent, simple models tailored to available data Ignore Scenarios Not modeled Mortality Not combined Hours Use meta-models developed for best available national models Time until first attack Probability distributions Deterministic (parameter) Morbidity Convert to dollars Days Distributed modeling using best available national models Multiple attacks Decision made to maximize some objective(s) Probability distribution Expected value Economic Combined with value function Weeks Black box with unvalidated, unverified, and unaccredited models Game theory models Probability distributions on probabilities Psychological Combined with utility function Months Attacker-Defender models Environmental

Attacker-Defender is a bi-level program (optimization) and type of Stackelberg game. Brown, G., Carlyle, M., Salmerón, J. and Wood, K., 2006, "Defending Critical Infrastructure ," Interfaces , 36, pp. 530-544.

Multiobjective decision analysis with decision tree/influence diagram. Run time Model complexity Frequency of attacks Terrorist Decisions US Decisions Uncertain Events Consequences Combining Consequences Real-time (Minutes) Transparent, simple models tailored to available data Ignore Scenarios Not modeled Mortality Not combined Hours Use meta-models developed for best available national models Time until first attack Probability distributions Deterministic (parameter) Morbidity Convert to dollars Days Distributed modeling using best available national models Multiple attacks Decision made to maximize some objective(s) Probability distribution Economic Combined with value function Weeks Black box with unvalidated, unverified, and unaccredited models Game theory models Probability distributions on probabilities Psychological Combined with utility function Months Attacker-Defender models Environmental

Multiobjective decision analysis with decision tree/influence diagram. Parnell, G. S., Multi-objective Decision Analysis, Wiley Handbook of Science & Technology For Homeland Security, John G Voeller, Editor, Forthcoming 2007

Multiobjective decision analysis with decision tree/influence diagram. Parnell, G. S., Multi-objective Decision Analysis, Wiley Handbook of Science & Technology For Homeland Security, John G. Voeller, Editor, Forthcoming 2007 Paté-Cornell, M.E. and S.D. Guikema. 2002. “Probabilistic Modeling or Terrorist Threats: A Systems Analysis Approach to Setting Priorities Among Countermeasures,” Military Operations Research, Vol. 7, No. 4, pp. 5-23. von Winterfeldt and Terrence M. O’Sullivan, A Decision Analysis to Evaluate the Cost-Effectiveness of MANPADS Countermeasures, Decision Analysis, Vol 3, No 2, June 2006, pp. 63-75.

Agenda What is our U.S. National Security Strategy? What are the sources of national security risk? How do natural hazards and intelligent adversaries differ? Are natural hazard risk analysis techniques appropriate for intelligent adversaries? Can we model and use terrorist values and objectives? How should we analyze the risk of attacks from intelligent adversaries? What knowledge should a national security risk analyst team have?

What knowledge should a WMD risk analyst team have? Strategy Objectives Tactics Intelligent adversaries Decision analysis Game theory Attacker-Defender models Risk analysis Consequence models Red teams Wargaming Analysis techniques Technologies Threat Conventional WMD (CBRN) Technologies for risk management Access to “world class” experts is critical.

Summary What is our U.S. National Security Strategy? Protect against WMD, especially bioterrorism. What are the sources of national security risk? WMD, especially bioterrorism. How do natural hazards and intelligent adversaries differ? Natural hazard data exist; intelligent adversaries are adaptive and dynamic. Are natural hazard risk analysis techniques appropriate for intelligent adversaries? But some techniques can be used. New techniques are needed. Can we model and use terrorist values and objectives? Yes. How should we analyze the risk of attacks from intelligent adversaries? Will require the design of new approaches. What knowledge should a national security risk analyst team have? Will require learning adversary strategies, new techniques, new technologies, and communications will very diverse stakeholders.