Protecting ourselves

From the New York Times, Analysts Say It Will Be Difficult to Shield Luxury Hotels From Terrorist Attacks:

But last week’s lethal attacks on two of India’s most famous hotels — coming just two months after a huge truck bomb devastated the Marriott in Islamabad, Pakistan — have underlined the extent to which these hotels are becoming magnets for terrorists. Worse, hotel executives and security experts say that little can be done to stop extensively trained gunmen with military assault rifles and grenades who launch attacks like the ones that left this city’s Oberoi and Taj Mahal Palace & Tower strewn with bodies.

This is not, perhaps, a surprising conclusion. Looking at the broad issue of protecting ourselves from attacks, we can take a number of factors, toss them around, and come up with the likelihood that we can prevent the attack. Some factors:

1. How many attackers are there?
2. How organized and trained are they?
3. What do they want to attack?
4. What consequences are they willing to accept to succeed?
5. What consequences are we willing to accept in our defense?

A single attacker trying to kill the president and get away afterward is relatively easy to defend against. One attacker, and a single target whose movements we’re willing to control tightly.

But change the variables, and the situation changes. If the attacker is willing to die, it makes things harder. More attackers, with organization and training, harder. More targets — suppose their goal is to kill a senator, any senator — and it’s harder still. Could we restrict the movements of 100 senators and lock them all down for their protection?

Now what happens when it’s an organization that wants to blow up cafes and pizzerias, and they don’t care whether their bombers survive the bombings? That’s the situation in Israel. They basically can’t stop the attacks, and to get as far as they have, they’ve had to restrict the free movement of the public to one extent or another.

And so, to the hotels: the very nature of a luxury hotel implies that tourists want to come and go, unimpeded. They want a pleasant, luxurious experience. The more restrictions you place, the less attractive the hotels become, making it so that if you lock them down enough to have even a little hope of defense, you’ll defeat your purpose by driving the customers away. And there are too many hotels to protect them all anyway.

It’s as it is with computer security, that security and usability are conflicting needs, and the key is to strike the right balance. In the case of the Mumbai attacks, or ones like them, it’s not possible to find a reasonable balance.

In any free society, we’re vulnerable to all sorts of attacks. And that’s the way it has to be. Put another way, it’s safest to live in a police state — but is that where we want to live?

NPR had a related item on All Things Considered on Wednesday, Report: Terrorists Could Use WMD By 2013:

It is “more likely than not” that a weapon of mass destruction — specifically a biological weapon that could include something like the deadly anthrax bacteria — will be used in a terrorist attack by the end of 2013.

That’s the conclusion of a high-powered commission created by Congress, which has just released its report, titled “World at Risk.”

The commission, chaired by retired Democratic Sen. Bob Graham, says the report is meant to neither frighten nor reassure Americans, but emphasize that the U.S. government is not doing enough to adapt to the growing risk of weapons of mass destruction.

Here, we have a prediction — and not from Sylvia Browne, though perhaps it might as well be — that there’s a greater than 50% likelihood that someone, somewhere will use a biological weapon within the next five years. That’s pretty broad, eh?

And the interesting thing about such a prediction is that it’s rather safe. For one thing, it’s easy to make predictions that we all hope will not come to pass. If they happen, the prediction was right; if they don’t, people tend to breathe a sigh of relief and are not, on the whole, very critical of the failure of the prediction. And anyway, they didn’t say it would happen, only that it was “more likely than not”. There was still a 49% chance that we’d be safe all along, even if they were right.

But there’s actually an extra bonus in this one: if the prediction fails, those in authority can actually claim credit for it. Here: these smart people made this prediction from good information, and the reason it didn’t happen is that we did the right things to prevent it. Yay, us!

Politicians — the Bush administration especially — love these sorts of things. They get to keep everyone afraid, which means that we’re more controllable. They get to say they need extra authority and power so they can “do more” to prevent catastrophe. And they get to claim credit for having saved us when the smart people turn out to have been wrong.

The reality is that we can probably prevent an attack on a particular event, but we can’t stop an attack from happening somewhere, at some time, in general. If an organized group decides to attack a college football game in Texas, or a county fair in Illinois, there’s little we can do absent specific information about attacks on those events.

That doesn’t mean that the effort is useless: we can do things that will help, and we should. But overall, DHS’s colour-coded alert system really boils down to “Red, Not Red”. And we can’t really be on red alert all the time. We have to be careful that what we do to try to reduce the threats doesn’t undermine our civil rights more than it helps our risk.

It’s safest to live in a police state — but that’s not where we want to live.