August 18, 2003

Distributed Defense

Terrorism is not an enemy. Terrorism is a tactic. Terrorists are enemies, and we are tracking them down and killing them, depriving them of finances and bases of support, and generally making their life miserable as best we can. We are, as far as I can tell from what I'm able to find in the press and in conversations with people who are involved, doing a pretty good job of that.

We appear to be failing, though, to get homeland security right. Partially, this is because we are acting like threatened cats: puffing ourselves up to look bigger and scarier than we really are. Hence the inconveniences at airports, many of which add more to the appearance of security than to its actual efficacy. Partially, too, this is because we don't know what we are doing yet. There are a lot of lessons to learn. And partially, this is because we are facing an unprecedented threat: any of the uncountable soft targets in our very infrastructure-dependent society can be attacked by a small number of determined people, with easily-acquired and concealed weapons, at the time of their choosing.

Large, complex and distributed systems - whether deliberately-created like our electrical system or created as a side-effect of something else like our cities and towns - are the result of competing forces. There are four major forces to consider, particularly in deliberately-created systems: scalability, redundancy, managability and cost. Scalability requires local control; redundancy requires excess capacity; managability (or, more often, the appearance of managability) improves with centralized control; cost increases with excess capacity and overheads incurred to put layers of management (or accountability, if you want to phrase it a bit differently) on top of a distributed system. Cost also includes non-monetary costs, particularly in non-deliberate systems. Obviously, any such system will be a compromise.

Our government (itself a large, complex and somewhat distributed system) is, like all governments I am aware of, highly centralizing: all problems are taken to the highest possible level, and the solutions generated there are filtered down to the lower levels. (I realize that this is not how we were supposed to be, and it's not how the Constitution envisions things, but think for a moment about the Federal government's power over education alone - one of the most local issues possible - and tell me that I am wrong about the reality.) This is because being able to put the finger of blame on a guilty party (or a plausible scapegoat) requires centralization, and this is more important in the government than anything else, including the efficacy of any particular program. This is even true of the Department of Defense during wartime - look at the headhunting for who was "at fault" for the pause in operations during the sandstorms of the Iraq campaign's second week.

It so happens that a natural emergent feature of free-market democracies is a tendency to create very distributed systems. This arises out of people having similar entreprenurial ideas, which then grow together over time as they mutually reinforce. The resulting systems, as they tie together, are often chaotic, spread over large areas, with no central locus of control and typically an unusual amount of excess capacity. Such systems are very vulnerable to terrorist attack, because the critical points of the system are so numerous that it is impossible to defend them all all of the time, yet a successful attack on any one will cause great damage. Note that this works for the population as a whole in democracies as well, where freedom of movement and freedom to choose where you live combine to create a difficult-to-control pattern of population. Will the attack come on a bus? At a mall or a supermarket? At the theater? Which one?

In some systems, particularly those with high up front costs to enter the market, and low marginal costs to operate, the tendency is towards corporate monopoly. The government tends to regulate in such a way as to increase accountability and extract either politcal points or revenue or both from the system (both of which are disincentives to running a system that is not as lean as possible), rather than to decrease central control and add excess capacity. Finally, the profit motive leads costs to be cut on any system wherever possible, and excess capacity costs money.

The result of all of these tendencies is that a single bit of equipment at a single switching station at the right place on the power grid can shut down power for several states, and a single pumping station at a single pipeline, chosen correctly, can leave a major metropolitan area without water. Any large, complex, widely-distributed system has such vulnerabilities, and any such system is virtually impossible to defend. Winds of Change has an article listing several such systems and linking to analyses well worth reading. They also link to an article which has a quote which sums up the problem:

As they do not see, behind the benefits of civilisation, marvels of invention and construction which can only be maintained by great effort and foresight, they imagine that their role is limited to demanding these benefits peremptorily, as if they were natural rights. - Jose Ortega y Gasset from The Revolt of the Masses

Actually, though, it is possible to build complex, widely-distributed systems which are capable of withstanding terrorist attacks, or even nuclear attacks. In fact, the Internet was designed to survive and retain some capability during a nuclear attack. It should be noted that the Internet was originally known as ARPAnet, and was created by the same agency that thought up the idea of a futures market for predicting terrorist attacks.

The way that the Internet was intended to work is that each network would be connected to multiple other networks, and the traffic would flow freely through all of the networks. This ensured that there were multiple paths for data to travel. If Dallas were offline, the packet would be automatically routed around Dallas. If the network segment between two points was overloaded, a more circuitous route would be taken to equalize the load. This model was abandoned, however, when companies took over the Internet to all practical purposes, and it was abandoned for two reasons: cost and security. You see, how do you explain to the boss that it's a good idea to route someone else's traffic through your network, and to let them do the same? Wouldn't it be better - cheaper and safer - to allow internal traffic out any connection, but not to allow outside traffic in unless its destination was inside the company itself? And if you filter the traffic through DMZs protected by firewalls, so much the better, because that makes it more difficult to have your systems hacked.

The problem is, though, that this dramatically reduces connectivity, because your traffic will only flow out through the connections you have to your providers, and along their networks to their destinations. And of course, it wasn't long before the backbone providers cut their costs by combining capacity into larger (usually shared) cables for long-distance hauls, and putting switching for several providers all in the same few locations, so that they could exchange traffic with each other in order to connect the whole Internet. As a result of the corporate actions to seal off their networks (effectively making themselves leaf nodes, even if they were leafs on multiple branches), and the backbone providers' actions to limit their costs and increase their interconnections with other backbone providers, I suspect I could eliminate about 75% of the US Internet connectivity by attacking just 2 to 4 NAPs. In fact, it might be possible to do most of this just by attacking MAE-East. There's nothing inherent in the technology which prevents us from adding the additional wire capacity, switching locations and routing to make the Internet impossible to take down except in a purely local sense. There are cost and control reasons that prevent us from doing it, though.

The electrical system has similar problems, as we've recently had demonstrated yet again. The energy distribution system has similar problems. The water system has similar problems, although they would be more difficult to fix, because of the limited sources of supply. This would require the government to focus on scalability and redundancy, allow for further decentralization of resource control and management, and offset the portion of the costs which would not be commercially recoverable (rather than mandating a hidden tax on businesses to comply with regulations). Sadly, the natural tendency of government is in the opposite direction.

For defending the people, though, the problem is somewhat different, because you cannot "add redundancy" in a meaningful sense. You must defend the population. The government is certainly doing a good job, as far as I can tell, going after the current and emerging terrorists, but it has not taken some critical steps to allow the population to defend itself. The government realizes that it cannot be everywhere - certainly that is a point that Secretary Rumsfeld has made more than once - but it has not taken the step to trusting the people to defend themselves, and encouraging them to do so.

And this is where the Bush administration has failed us in homeland defense. The administration is attempting to defend all of these systems by itself, and in general is doing so the way a government would: it is trying to increase controls and accountability, without concern for costs, scalability or redundancy. Worse, the government is actively interfering in a great many activities (mostly gun-related) that people could undertake in their own defense. Since these kinds of actions are the kinds that would be naturally appealing to a conservative administration, this makes the situation doubly-damned.

I first saw the key to solving these problems stated by Glenn Reynolds:

So the snipers that paralyzed and terrorized the Washington, D.C. metropolitan area are caught now. But it's worth thinking about how they were caught. After repeatedly slipping through the fingers of law enforcement, John Muhammad and Lee Salvo were caught because leaked information about the suspects' automobile and license number was picked up by members of the public, one of whom spotted the car within hours and alerted the authorities - blocking the exit from the rest area with his own vehicle to make sure they didn't escape. "You can deputize a nation," said one news official after the fact.

Yes. With proper information, the public can act against terrorists - often, as we found on September 11, faster and more effectively than the authorities. The key, as Jim Henley noted, is to "make us a pack, not a herd."

The problem is that this goes against the very grain of intelligence agencies, law enforcement agencies, and so on. Within bureaucracies in general - and doubly within intelligence and law enforcement bureaucracies - information is power, and power isn't something you want to share. And if you deputize a nation, doesn't that make the official deputies just a little bit less special?

The problem with this mindset is that it's all about bureaucratic turf, and not about getting the job done. Otherwise we'd have learned the lesson long ago.

To coin a phrase: indeed.

The actions the government should be taking in homeland defense should be focused on giving individual citizens the power to defend themselves and their infrastructure.

For the infrastructure, excess capacity beyond what the market may support normally must be built in, and this capacity must be linked through a highly-redundant web of distribution channels. In some cases, such as with the water supply, the necessary work can be done entirely by the government, since it is governments (mostly local, in this case) which control the existing systems. In other cases, such as with the electrical systems, the government needs to give incentives for building in additional capacity and distribution channels to make the systems more robust.

For the population, the government needs to encourage the population to arm itself with handguns and long arms; to offer training in spotting bombs, recognizing vulnerabilities, emergency medical care, planning in advance for contingencies and the like; and to give us the information we need to understand and react to threats. Note: the government should not try to control or direct these activities, just to encourage them. If the government were to pick a one-size-fits-all solution, we'd be no better off than we are now.

For example, when the DC snipers were on the loose, I marvelled that we didn't have pairs of armed citizens on every street corner, with more patrolling the spaces between. At the very least, such an active defense would have made the snipers' jobs more difficult, and might have forced them out of the area entirely. We don't have a militia in this country any more, but we need one. A pack, not a herd.

UPDATE (8/19): Armed Liberal comments, and I have a brief response in the comments section there.

(And no, the National Guard is not a successor to the militia; it is a state-controlled reserve force for the Federal military, with additional duties for disaster relief.)

Posted by Jeff at August 18, 2003 12:31 AM | Link Cosmos
Comments

I wonder how low-level a militia pilot project could be. Could one city offer training to volunteers and include them in disaster exercises? This might be a good way to prove out the concept before pushing for a state or national level program.

Posted by: Karl Gallagher on August 18, 2003 01:46 PM

The Constitution and some of the very first laws passed by the United States make pretty clear that a local government can do just exactly that. Indeed, the local provision and defense of stability is kind of the point of a militia.

Even so, I suspect that such a move would be strongly opposed by the Federal government.

Posted by: Jeff on August 18, 2003 02:23 PM
Post a comment