U.S. national security faces rising challenges from insider threats and organizational rigidity, a Stanford professor says.

Amy Zegart, co-director of the Center for International Security and Cooperation at Stanford and a senior fellow at the Hoover Institution, wrote in a new study that in the past five years, seemingly trustworthy U.S. military and intelligence insiders have been responsible for a number of national security incidents, including the WikiLeaks publications and the 2009 attack at Fort Hood in Texas that killed 13 and injured more than 30.

She defines "insider threats" as people who use their authorized access to do harm to the security of the United States. They could range from mentally ill people to "coldly calculating officials" who betray critical national security secrets.

In her research, which relies upon declassified investigations by the U.S. military, FBI and Congress, Zegart analyzes the Fort Hood attack and one facet of the insider threat universe – Islamist terrorists.

In this case, a self-radicalized Army psychiatrist named Nidal Hasan walked into a Fort Hood facility in 2009 and fired 200 rounds, killing 13 people and wounding dozens of others. The shooting spree remains the worst terrorist attack on American soil since 9/11 and the worst mass murder at a military site in American history, she added.

Insights and lessons learned

Zegart's study of insider and surprise attacks as well as academic research into the theory of organizations led her to some key insights about why the Army failed to prevent Hasan's attack when clues were clear:

Image

In the Fort Hood case, she said, bureaucratic procedures kept red flags about Hasan in different places, making them harder to detect.

• Career incentives and organizational cultures often backfire. As Zegart wrote, several researchers found that "misaligned incentives and cultures" played major roles in undermining safety before the Challenger space shuttle disaster.

Zegart's earlier research on 9/11 found the same dynamic played a role in the FBI's manhunt for two 9/11 hijackers just 19 days before their attack. Because the FBI's culture prized convicting criminals after the fact rather than preventing disasters beforehand, the search for two would-be terrorists received the lowest priority and was handled by one of the least experienced agents in the New York office.

• Organizations matter more than most people think. Robust structures, processes and cultures that were effective in earlier periods for other tasks proved maladaptive after 9/11.

In the case of the Fort Hood attack, the evidence suggests that government investigations, which focused on individual errors and political correctness (disciplining or investigating a Muslim American in the military) identified only some of the root causes, missing key organizational failures.

Hasan slipped through the cracks not only because people made mistakes or were prone to political correctness, but also because defense organizations "worked in their usual ways," according to Zegart.

Adapting to a new threat

In terms of organizational weaknesses, Hasan's Fort Hood attack signaled a new challenge for the U.S. military: rethinking what "force protection" truly means, Zegart said. Before 9/11, force protection reflected a physical protection or hardening of potential targets from an outside attack. Now, force protection has evolved to mean that the threats could come from within the Defense Department and from Americans, she added.

"For half a century, the department's structure, systems, policies and culture had been oriented to think about protecting forces from the outside, not the inside," Zegart wrote.

In the case of Hasan, the Defense Department failed in three different ways to identify him as a threat: through the disciplinary system, the performance evaluation system and the counter-terrorism investigatory system run jointly with the FBI through Joint Terrorism Task Forces.

"Organizational factors played a significant role in explaining why the Pentagon could not stop Nidal Hasan in time. Despite 9/11 and a rising number of homegrown Jihadi terrorist attacks, the Defense Department struggled to adapt to insider terrorist threats," Zegart wrote.

Difficult to change

Another problem was that the Pentagon faced substantial manpower shortages in the medical corps – especially among psychiatrists. So the Defense Department responded to incentives and promoted Hasan, despite his increasingly poor performance and erratic behavior.

In addition, Zegart found the Defense Department official who investigated Hasan prior to the attack saw nothing amiss because he was the wrong person for the job – he was trained to ferret out waste, fraud and abuse, not counterterrorism, which is why he did not know how to look for signs of radicalization or counterintelligence risk.

"In sum, the Pentagon's force protection, discipline, promotion and counter-terrorism investigatory systems all missed this insider threat because they were designed for other purposes in earlier times, and deep-seated organizational incentives and cultures made it difficult for officials to change what they normally did," she wrote.

Zegart acknowledges the difficulties of learning lessons from tragedies like 9/11, the NASA space shuttle accidents and the 2009 Fort Hood shooting.

"People and organizations often remember what they should forget and forget what they should remember," she said, adding that policymakers tend to attribute failure to people and policies. While seemingly hidden at times, the organizational roots of disaster are much more important than many think, she added.

It’s a technique that’s been used to calculate the odds of everything from the likelihood of a nuclear meltdown to the chances of getting sick from eating bad seafood.

Today, a CISAC scholar told the U.S. Senate Judiciary Committee that he hoped probabilistic risk analysis could help move the ball forward in the debate over encryption that’s pitted law enforcement and national security agencies against some of Silicon Valley’s most influential technology companies.

“Neither side can prove its case, and we see a clash of theological absolutes,” said Herb Lin, senior research scholar for cybersecurity at the Center for International Security and Cooperation and research fellow at the Hoover Institution, in his testimony before a full hearing of the committee.

The contentious debate over encryption has developed in the wake of the National Security Agency spying scandal, with tech titans Apple and Google recently announcing plans to implement stringent new cryptography protocols to protect customer data.

“When the Snowden documents revealed that NSA was hacking [the tech companies], there was a real sense of betrayal,” Lin said.

“You now hear tech companies talking about the U.S. government in the same way they talk about China. They feel like they have to protect themselves against the U.S. government in the same way they have to protect themselves against China. That’s a terrifying thought. In that kind of environment, there’s no trust.”

Law enforcement and national security agencies want tech companies to integrate a mechanism for the government to gain “exceptional access” to encrypted data into their new encryption technology. But, industry and privacy advocates have resisted, arguing that creating a so-called “backdoor” would make their software more vulnerable to attacks from hackers.

FBI director James B. Comey, who also testified before the committee, warned that the latest generation of encryption technology was putting American lives at risk. He said that the Islamic State in Iraq and Syria (ISIS) was actively recruiting homegrown terrorists via Twitter then using end-to-end encrypted mobile messaging apps to secretly send orders for them to carry out attacks within the United States.

FBI Director James B. Comey (right) testifies before the U.S. Senate Judiciary Committee about the national security risks of end-to-end encryption, with Deputy Attorney General Sally Quillian Yates (left) at his side, as CISAC senior research scholar Herb Lin looks on from the gallery.

“Our job is to look in a haystack the size of this country for needles that are increasingly invisible to us because of end-to-end encryption,” Comey said.

Deputy Attorney General Sally Quillian Yates, who testified at Comey’s side, said law enforcement could not get access to that kind of encrypted communications, even with a valid court order.

“Critical information becomes in effect ‘warrant proof’,” she said.

“Because of this, we are creating safe zones where dangerous terrorists and criminals can operate and avoid detection.”

It is a polarizing debate.

Image

“I’d like to find a way to move the ball forward rather than seeing both sides being stuck in the trenches shouting at each other.”

Lin’s proposal, which he presented to the Senate Judiciary Committee on Wednesday, recommended that both sides focus on estimating how long it would take a hacker to break into an encrypted device equipped for “exceptional access.”

“If it takes a thousand years for a bad guy to figure out how to hack…that’s probably secure enough,” Lin testified.

“If it takes him 30 seconds, using that mechanism is a dumb idea. So somewhere between 30 seconds and a thousand years, the mechanism changes from being unworkable to being secure enough.”

Not all computer security experts believe such a calculation would be possible.

“It’s challenging to come up with a defensible methodology for estimating the risk that a backdoor system will be compromised,” said Jonathan Mayer, a Stanford PhD candidate in Computer Science and former CISAC cybersecurity fellow who garnered national headlines for his research demonstrating that the NSA could use phone metadata to reconstruct detailed personal information.

“Not only are the risks of compromise unknown – they’re unknowable.”

However, Lin said the mathematical methodology known as probabilistic risk analysis, which has widely been used to predict the likelihood of catastrophic failure in complex systems from nuclear power plants to the space shuttle, might be able to shed some useful light on the risks.

And, he said, the only way to find out if it could successfully be used to calculate the risks of encryption software getting hacked would be to conduct more research.

Veterans of the so-called “Crypto Wars” of the ‘70s and ‘90s (when the U.S. government tried to limit public access to encryption technology), like Stanford professor emeritus of electrical engineering and CISAC affiliated faculty member Martin Hellman, said proposals like Lin’s could help advance the public debate and bring both sides closer together.

“Getting the two opposing sides to talk — and listen — is really important,” Hellman said.

“That's what happened 20 years ago when Congress asked the National Academies to look at an almost identical problem. It got those different groups talking and working out compromises.”

What is it about terrorism that makes it so difficult to study and counteract through U.S. government policy? That’s the central question CISAC Senior Fellow Martha Crenshaw hopes to answer in an upcoming book she is co-authoring with Gary LaFree, Director of the National Center for the Study of Terrorism and Responses to Terrorism (START), where Crenshaw serves as lead investigator. at the University of Maryland. 

The idea for the book stems from Crenshaw’s long career in grappling with terrorism and observing how governments struggle to combat it. She has been writing and thinking about terrorism since the 1970s and is currently conducting a multi-year project mapping the evolution of violent extremist groups. However, the difficulties inherent in the topic have not much changed for academics and policymakers.

The problems start with defining terrorism, something that has bedeviled both researchers and policymakers for decades, Crenshaw told a Stanford audience in CISAC. 

“We are still arguing about what terrorism means. But even if you agree on a definition, then applying it to the real world remains difficult,” she said.

Beyond semantics, the study of terrorism faces a series of hurdles inherent to the topic. An overarching social theory of the causes of terrorism remains elusive, and there is no agreement on whether terrorism actually works. 

Additionally, academics have used many different levels of analyses–individual, organizational, cultural, economic, and others–but have yet to agree on which analyses bear more fruit.

Despite what you might gather from what’s said in the media, terrorism events are actually very rare. Terrorist attacks that kill large amounts of people are even more rare. “9/11 was a black swan, a highly consequential event but only a one-of-a-kind. We show why it’s the case that terrorism is very rare and therefore makes it very hard to predict any kind of trends,” Crenshaw said.

Most of the information available is about attacks that actually happened. But there are many more plots, about ten times more, than actual attacks. Crenshaw said she and her research assistants have used news media and government documents to identify failed and foiled plots against the United States, European Union, and NATO countries plus Australia and New Zealand. The plots have been coded in a dataset that she will analyze.  

There are additional obstacles in the way of researchers and policymakers. 

Attributing responsibility for attacks is difficult, which hampers research and government responses. “How do you know who to respond against? The concept of terrorism is mixed in with insurgency. It’s hard to think of a policy that targets one but not the other,” Crenshaw said. Terrorist organizations are very small and the boundaries between groups are extremely porous. Yet, there is not a preponderance of lone wolves.

Sometimes, the U.S. government obstructs research. Crenshaw lamented the over-classification of government documents, and drew particular attention to the designation “For Official Use Only”, which is not a classification but a designation that seems to depend on the agency using it. 

“If you are analyzing illegal forms of violence there are three sources of information: governments, victims, and terrorists. Victims are difficult to find. Self-reporting is even harder and usually unfeasible. And governments are very secretive. We would like to see more transparency and openness on their part,” she said.

“I think what is being done here is really important when it comes to the question of why it’s so hard to find policy solutions for terrorism,” said Betsy Cooper, a Law and International Security Postdoctoral Fellow at CISAC, who offered commentary on the book draft to the seminar. “A lot of what is in the chapter about the state of counter-terrorism research is very important.” 

“I learned a lot especially about the automation in the global terrorism database and it poses some interesting questions. Is something terrorism because we say it is or can we use objective criteria regardless of whether you see it as something else?” 

U.S. Navy Adm. Cecil D. Haney, the U.S. Strategic Command commander, hosted CISAC Co-Directors David Relman and Amy Zegart as well as CISAC faculty and fellows at Offutt Air Force Base in Nebraska on March 30-31, 2015, to promote military-to-university cooperation and innovation, and provide a better understanding of USSTRATCOM’s global missions.

The visit follows Haney’s trip to Stanford last year, during which he held seminars and private meetings with faculty, scholars and students to discuss strategic deterrence in the 21st century. Those discussions focused on reducing the U.S. nuclear weapons stockpile while maintaining an effective deterrent, the integration of space and cyberspace in nuclear platforms and the congested, contested and competitive operating environment in space.

“Developing and maintaining partnerships with security experts from the private sector and academic institutions like CISAC enables USSTRATCOM to view the strategic environment from a different perspective and adjust our decision calculous accordingly,” Haney said. “We are excited about this unique opportunity to exchange ideas and share information with this prestigious organization.” 

Haney opened the discussions by presenting a command mission brief, in which he described USSTRATCOM’s nine Unified Command Plan-assigned missions, his priorities as commander and his ongoing effort to build enduring relationships with partner organizations to exchange ideas and confront the broad range of global strategic challenges.

Zegart, who is also a senior fellow at Stanford’s Hoover Institution, said getting to see and experience how USSTRATCOM operates first-hand was “an eye opener.”

“It’s one thing to think about deterrence, it’s another to live it,” she said. “When you go to each other’s neighborhoods, you gain a better understanding of where each side is coming from … and that’s enormously important to us in how we think about deterrence and what we can do to help USSTRATCOM and its mission.”

“These kinds of exchanges have cascade effects on young people; how they think about civil-military relations [and] how they understand what our military is doing,” she added.

Image

The delegation also received a tour of USSTRATCOM’s global operations center and held discussions with subject matter experts on strategic deterrence, cyber responsibility and nuclear modernization.

“As a cybersecurity fellow, it was fascinating to visit the global operations center and the battle deck to see the role that cybersecurity and information technology plays in the strategic deterrence mission,” said Andreas Kuehn, a CISAC pre-doctoral cybersecurity fellow from Switzerland. “At CISAC, we often discuss deterrence from a theoretical perspective, so it was very insightful to hear from people who work in [this field] and see how they deal with deterrence in an operational manner.”

The two-day visit concluded with an open discussion, during which CISAC and USSTRATCOM members discussed the most effective means to share information, plan future engagements and continue working to build on the mutually beneficial relationship between the two organizations.

“Sometimes people talk [about strategic issues] in the abstract and it becomes difficult to understand what is happening on the ground and in the real world,” Kuehn said. “I think [USSTRATCOM] took extra steps to keep the conversations open and concrete.”

USSTRATCOM is one of nine Department of Defense unified combatant commands charged with strategic deterrence, space operations, cyberspace operations, joint electronic warfare, global strike, missile defense, intelligence, surveillance and reconnaissance, combating weapons of mass destruction, and analysis and targeting.

In this talk sponsored by the Stanford Institute for Economic Policy Research, three CISAC scholars discuss the Islamic State, Iran and the Taliban and the threats they impose to American security. The talk is moderated by Brad Kapnick, a Partner at Katten & Temple, LLP, and SIEPR Advisory Board member. Joining him are Martha Crenshaw, a senior fellow at CISAC and the Freeman Spogli Institute for International Studies and professor, by courtesy, of political science; CISAC Senior Fellow Scott Sagan, the Caroline S.G. Munro Professor of Political Science; former U.S. Ambassador to Afghanistan Karl Eikenberry, the William J. Perry Fellow at CISAC and a consulting professor at the Freeman Spogli Institute.

This is an abbreviated version of the talk below. The full talk can be found here.