December 09, 2006

ATS and the death of a thousand tiny cuts

If I was a terrorist, this would be great news. The US has revealed yet another apparently illegal and plainly dumb civilian spying programme, called ATS or Automated Targeting System. Basically, it datamines all passenger info, exactly that which they were told not to do by Congress, and flags passengers according to risk profile.

Those who are responsible for US Homeland Insecurity had this to say:

Jayson Ahern, an assistant commissioner of the Department of Homeland Security's Customs and Border Protection Agency, told AP: "If (the ATS programme) catches one potential terrorist, this is a success.

From an FC perspective it is useful to see how other people's security thinking works. Let's see how their thinking stacks up. I think it goes like this:

  1. If we catch lots of terrorists we are winning the war on terror, so vote us back in.
  2. If we catch one terrorist, it's a success, so we must reinforce our efforts.
  3. If we catch no terrorists, we must try harder, so we need more data and programmes.

See the problem? There's no feedback loop, no profit signal, no way to cull out the loss-making programmes. The only success criteria is in the minds of the people who are running the show.

Meanwhile, let's see how a real security process works.

  1. Identify the objectives of the enemy.
  2. Figure out which of those objectives are harmful to us, and which are benign.
  3. Figure out how to make the harmful objectives loss-making to the enemy, and acceptable to us.
  4. Redirect the enemy's attention to objectives that do us no harm.
  5. Wait.

Approximately, the objectives of the terrorists are to deliver the death of a thousand tiny cuts to the foreign occupiers, to draw from the Chinese parable. In other words, to cause costs to the US and their hapless friends, until they give up (which they must eventually do unless they have some positive reward built in to their actions).

So let's examine the secret programme from the point of view of the terrorist. Obviously, it was no real secret to the terrorists ("yes, they will be monitoring the passenger lists for Arab names and meals....") and it is relatively easy to avoid ("we have to steal fresh identities and not order meals"). What remains is a tiny cut magnified across the entire flying public, and a minor inconvenience to the terrorist. Because it is known, it can be avoided when needed.

We can conclude then that the ATS is directly aligned with the objectives of the terrorists. But there's worse, because it can even be used against the USA as a weapon. Consider this one again:

"If (the ATS programme) catches one potential terrorist, this is a success."

Obviously, one basic strategy is for the terrorists to organise their activities to avoid being caught. Or, a more advanced strategy is to amplify the effect of the US's own weapon against them. As the results of the ATS are aligned with objectives of the terrorists -- death by a thousand tiny cuts -- they can simply reinforce it. More and deeper cuts...

Get it? As a terrorist campaign, what would be better than inserting terrorists into the passenger lists? The programme works, so catching some terrorists causes chaos and costs to the enemy (e.g., the recent shampoo debacle). The programme works, so it is a success, therefore it must be reinforced. And it works predictably, so it is easy to spoof.

Even if the terrorist fails to get caught, he wins with some minor panic at the level of exploding shoes or shampoo bottles. And, if the suicide bomber is anything to go by, there is only a small cost to the terrorists as an organisation, and a massive cost to the enemy: consider the cost of training one suicide bomber (cheap if you want him to be caught, call it $10k) versus the cost of dealing with a terrorist that has been caught (publically funded defence, decades of appeals, free accomodation for life, private jets and bodyguards..., call it $10m per "success").

Not to mention the megaminutes lost in the entire flying public removing their shoes. For the terrorist, ATS is the perfect storm of win-wins -- there is no lose square for him.

On the other hand, if our security thinking was based on risk management, we'd simply use any such system for tracking known targets and later investigation of incidents. Or turn it off, to save the electricity. Far too many costs for minimal benefit.

Luckily, in FC, we have that feedback loop. When our risk management programmes show losses, or our capital runs out, the plug is pulled. Maybe it is time to float the DHS on the LSE?

Posted by iang at December 9, 2006 12:33 PM | TrackBack
Comments

> Maybe it is time to float the DHS on the LSE?

You're one funny guy, Ian.

There's so much fraud in the world's financial system that this just might be possible. :) Of course all this fraud is going to come home to roost.

DHS should do an IPO while they still have a chance.

Posted by: bob at December 9, 2006 04:01 PM

Ok, here's a question for anybody. Does all fraud necessarily have to come to an end?

Posted by: bob at December 9, 2006 04:10 PM

Hey, at least you picked up the joke :) So to answer your question, I'd say "no." Fraud is a necessary part of the system, something which I assumed in my GP rants.

As a sort of corollary to Goodhart's law -- if you designate something as fraud, that only means you want to stop it, not that you can. Now, it then comes down to an economics basis for whether fraud can be stopped, and who it is that is doing the designation of fraud.

For example, insider trading is considered to be a 'good' by economists because it reveals information and a 'bad' by market regulators. The latter will call it fraud, and the former will point out the perfect market hypothesis probably demands the fraud must continue ...

Posted by: Iang at December 9, 2006 04:26 PM

> Hey, at least you picked up the joke :) So to answer your question, I'd say "no." Fraud is a necessary part of the system, something which I assumed in my GP rants.

But Ian, I don't think that is answering the question.


As a sort of corollary to Goodhart's law -- if you designate something as fraud,

Fraud it what it is. It's not a matter of someone designating it.

that only means you want to stop it, not that you can.

> not that you can.

Huh, fraud in general can't be stopped. It's part of life.
Let me narrow the question. Does some instance of finacial fraud necessarily have to come to an end?


> Now, it then comes down to an economics basis for whether > fraud can be stopped, and who it is that is doing the
> designation of fraud.

I don't know about the designation of fraud, but thinking about human nature, I can't see that fraud will not always be around. I see a problem if somebody is designated to define fraud, to protect us from it.

> For example, insider trading is considered to be a 'good' > by economists

Screw the economists. Most of 'em are just mouth pieces.
I also understand that knowledge can be private property.

because it reveals information and a 'bad'
> by market regulators. The latter will call it fraud, and
> the former will point out the perfect market hypothesis
> probably demands the fraud must continue ...

What I'm thinking is that the fraud, financially, can't continue. That there is a price to be paid for it.

I can't prove that. I'm too ignorant (lack of knowledge).

Posted by: bob at December 9, 2006 05:07 PM

and Hastings Corollary #1 sez:

todays legal offshore banking practice is tomorrows onshore fraud and money laundering regulation.

nuff said

Posted by: anon at December 16, 2006 03:12 PM
Post a comment









Remember personal info?






Hit preview to see your comment as it would be displayed.