National Security & Managing Systemic Risk: A New Model

  • July 2020
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View National Security & Managing Systemic Risk: A New Model as PDF for free.

More details

  • Words: 2,517
  • Pages:
T H I N K I N G S T R AT E G I C A L LY A B O U T N AT I O N A L I N T E L L I G E N C E

You know that the best you can expect is to avoid the worst. 1

National Security as Managing Consequential and Catastrophic Risks. Today, Americans, as well as citizens from many other countries of the world, find themselves living under a state of exception. Normal is suspended. The unexpected almost always occurs. But with uncalculable probability and consequence. It appears that the links among risk assessment, risk mitigation, and the methodologies for establishing adequate budget have not yet been fully explored or developed. Many initiatives are so compartmentalized and fragmented that it is unclear with whom, or even where, responsibility resides, much less accountability for results. We appear to be fighting point source threats on many fronts, but non-point, systemic threat mitigation may still be under-focused on. Getting our arms around strategic issues of consequential and catastrophic systemic risks may assist in developing the methodologies we need to analytically establish prioritization and global budgets for risk mitigation initiatives. Otherwise, its just more shoot from the hip, spend broadly, and hope for the best. Hardly a recipe for success. My thoughts on thinking strategically about consequential and systemic risks are at: http://www.pdfcoke.com/doc/22163392/.

Italio Calvino, If on a Winter’s Night a Traveler (1979) in William Poundstone, Prisoner’s Dilemma (New York: Doubleday, 1992), 53. 1

Lyle Brecht

Draft 1.1

Thursday, December 3, 2009





Page 1 of 6

T H I N K I N G S T R AT E G I C A L LY A B O U T N AT I O N A L I N T E L L I G E N C E

National Intelligence as Identifying and Analyzing Consequential and Catastrophic Risks. What, most of all, defines this discourse of exceptionality is the suspension of a willingness to question the status quo of policy. Policy establishes much of our analytical frames of reference. Policy also delimits our ability to identify risks and to mitigate these risks. Examples of policies that, when analyzed, make no sense at all are legion today. Today, maybe the most immediate global consequential and catastrophic threats are from nuclear war and from global warming.2 The risk probability of a nuclear war is directly determined by policy. This policy is a 60-year old policy of nuclear deterrence based on an out-dated and largely disproved economic theory called rational choice theory that was incorporated into the game of mutual assured destruction.3 Is it rational to continue to play a game of nuclear deterrence that is out-of-date and unwinnable? In the past 64-years, the world has allocated approximately $60,000 billion to military defense. The world will spend $1,500 billion (U.S.) this year alone for military defense. The overdetermining belief is that military defense primarily renders a nation safer. Is this belief rational, given the constellation of risks that constitute national security today? Scientists have proven with ever more detail and preciseness that global warming is occurring today. Few members of the public would decide to challenge physicists concerning the details of quantum physics. Claiming that the theory of quantum physics was a hoax would be hard to swallow. Unfortunately, this questioning of basic physical reality (global warming and is effects can be demonstrated as clearly as the effects of a nuclear explosion) has been used to forestall policy development. The longer policy decisions are delayed and appropriate mitigation does not occur, the more expensive the consequential effects. Today, if 350 PPM CO2 is the tipping point (latest MIT studies), the cost of mitigation may exceed $20,000 billion. However, the global consequences of doing nothing may result in the morbidity of as many as a few billion humans, large numbers species lost and a worst case economic impact of $200,000 billion. May I ask, how is it rational to continue to delay policy decisions when so much is at stake? What are the intelligence requirements for an analysis of the national security ramifications? Potentially, the largest national security threat to the nation’s functioning integrity most recently was from the 2008 financial crisis. This was a glaring instance of markets (or anyone else) not managing systemic risk. Trillions of dollars in CDOs (collateralized debt obligations) derivatives based on the underlying asset values of mortgages on real property were sold. Hundreds of billions of dollars in salaries and bonuses were paid to Wall Street executives and traders for

2

See “Consequential and Catastrophic Risks” at http://www.pdfcoke.com/doc/22163392/.

3

See “The Economic Games Behind Nuclear Deterrence” at http://www.pdfcoke.com/doc/20228926/.

Lyle Brecht

Draft 1.1

Thursday, December 3, 2009





Page 2 of 6

T H I N K I N G S T R AT E G I C A L LY A B O U T N AT I O N A L I N T E L L I G E N C E

selling these insurance contracts. Yet, as the CDO market collapsed, U.S. taxpayers were asked, via the Federal Reserve and the U.S. Treasury to put-up approximately $17,489 billion in reserves (potential future taxes).4 From an economic risk perspective, this event was of greater consequence to the nation’s security, for example, than any war since WWII, or potentially a larger threat than any anticipated terrorist attack from outside our borders. Was our Intelligence Community (IC) up to speed in identifying and analyzing this systemic risk to the nation? Risks to cyberspace are getting a lot of attention today. It is evident that a lot of work and sound thinking are occurring. New, rich frameworks for public-private collaboration are being explored, as well as some innovative market-based incentives. However, to-date, the thinking regarding cyberspace security has primarily been a tactical-level exercise with many good ideas focused mostly on conventional, malicious threats to cyberspace. Lacking is strategic thinking and the methodology to set levels of capital allocation/budget for mitigating different levels of risk.5 ___________________________________________________________________________________ Below, are some comments on two recent public reports dealing with the threat of a terrorist attack. The comments are illustrative of some of the larger risk identification, and risk mitigation issues that I attempted to briefly explicate in my arguments above: Preliminary Thoughts on “How Terrorist Groups End” RAND report.6 1) Page 3, Definition: “definition of terrorism, this monograph argues that terrorism involves the use of politically motivated violence against noncombatants to cause intimidation or fear among a target audience.” Potential problems: (a) frame for what conventionally constitutes terrorism is based on hindsight bias and may be ambiguous and/or too narrow. I am thinking, for example, of Germany under Hitler Russia, under Stalin, Chile under Pinochet, Iraq under Sadam Hussein, etc. which are essentially terrorist-run governments, exacting torture and “politically-motivated violence against Estimate of reserves from Nomi Prins & Christopher Hayes, “Meet the Hazzards,” The Nation (October 12, 2009) at http://www.thenation.com/doc/20091012/prins_hayes based on the analytical work published in Nomi Prins, It takes a Pillage: behind the Bailouts, Bonuses, and Backroom Deal from Washington to Wall Street, (New York: Wiley, 2009). 4

5

See “Thinking Strategically about CNCI” at http://www.pdfcoke.com/doc/15769323/ and “National Cyber Systems Security Review Discussion” at http://www.pdfcoke.com/doc/12659947/. 6

Seth G. Jones and Martin C. Libicki, “How Terrorist Groups End: Lessons for Countering al Qaida,” RAND Corporation National Security Research Division (2008). Lyle Brecht

Draft 1.1

Thursday, December 3, 2009





Page 3 of 6

T H I N K I N G S T R AT E G I C A L LY A B O U T N AT I O N A L I N T E L L I G E N C E

noncombatants to cause intimidation or fear among a target audience” i.e. all citizens of the country or certain out-groups; (b) The presumption that “terrorists” are always part of an out-group, or not democratically elected within existing political processes results in your statistics suffering from conjunction fallacy where probabilities based on faulty definitional categorizations could get risk probabilities very wrong; (c) you may do better by including the idea of asymmetrical violence in your definition of terrorism. Even that leaves gaps, but plugs some obvious holes; 2) Scope neglect. I am uncertain why 1960 was chosen as the beginning of the period for analysis. For example, Vaclav Smil recognizes four distinct periods for asymmetrical violence: (a) 1879 - 1919 Russia’s Narodnaya volya (the people’s will) targeted assassinations; (b) 1920-1960’s terror in the service of self-determination (more like the American Revolution counterinsurgency activities); (c) 1960’s-70’s occupation protests (PLO’ IRA, etc.) and (d) 1979present religiously-inspired terrorist activities. We have data on terrorist activities from Biblical times. What has changed over time? My own claim is that the terrorism of the future will be non-stationary. Using historical data to assess risk will be of minimal value; 3) Anchoring. You are assuming terrorism is always a problem initiated by someone other than us (America). The definition above should be strong enough to identify when anyone engages in terrorism. E.g. In Iraq and Afghanistan, if you interviewed the local citizens, you might discover that from their perspective, we came as liberators, stayed as occupiers, and then became terrorists in our own right. However politically distasteful that analysis may be, analytically, it may an important issue to get risk probabilities and planning/strategy dynamics more right; 4) I would like to spend more thought on linking risk analysis with strategy and a methodology for allocating capital to mitigate specific levels of risk. What I have seen since 9/11 is a disjunctive between strategy, risk, and capital employed to mitigate that risk. Instead of an analytical process to accomplish this, the process has been highly politicized and topical. Thus, excessive capital has been over-employed to mitigate some popular risks, other important, less understood risks have gone wanting for budget, and budget has been wasted on mitigating some common risks that cannot be effectively mitigated by any amount of capital. That is, strategy, budget, and risk reduction have not been coordinated, have not

Lyle Brecht

Draft 1.1

Thursday, December 3, 2009





Page 4 of 6

T H I N K I N G S T R AT E G I C A L LY A B O U T N AT I O N A L I N T E L L I G E N C E

grown from solid analysis, and have largely been ineffective if one calculated an EROIC (economic return on invested capital) to address risks. Preliminary Comments on “Rare Events” MITRE report to DOD’s Strategic Multi-Layer Assessment (SMA) program.7 In B1 “Is 9/11 an Outlier” the report calculates (p) = 25.7% for a 9-11 event for the 38.5 year period from 1968-2006. I can see where you arrive at this calculated result, but conceptually, I am wondering exactly what the report means to convey: (a) by 9/11 ʻrare eventʼ do you mean an event that produces ~$90 billion in property damage and kills at least 3,000 people or an event that is 3 standard deviations beyond a ʻnormativeʻ terrorist attack? (b) the 27.5% (p) of this rare event is calculated post retrospectively. Is that even useful? I am thinking that before 9/11, maybe up to the summer of 2001, that the predicted (p) of a 9/11 event would have been negligible, and even during the summer of 2001, when the (p) of a terrorist action might have been confidently predicted at >90%, no one would have imagined a 9/11-type rare event, because such an event had never occurred in history (or at least knowledge of history accessible to those making such assessments); (c) I guess what I am getting at is that w/o constellated event data to input into our (p) calculations, all we can do is predict that something greater than normative may happen with x probability, assuming we are on a Cauchy-Lorenz distribution. What we cannot do with any precision is to predict where we are on that fat tail w/o more data. That is, we can be at a 9/11 rare event, or at the level of a rare event that has destroyed Cleveland w/ a nuclear weapon, pre-retrospectively; (d) Which brings me to B2 “Odds of 9/11 Scale Event in Next Decade” where calculated (p) = 6.7% over the next decade. Is this just a proportional calculation - that over the next 38.5 years the (p) of 27.5% between 1968-2006 is reconstituted post 9-11? I donʼt believe so. If we are already on the fat tail of a Cauchy distribution, our probability in the vicinity of a recent ʻrare eventʼ should increase by some factor e.g. if I am already in a drought year (now defined by non-stationarity, rather than by stationarity), the probability of next year being a DOD Research & Engineering’s Strategic Multi-Layer Assessment (SMA), MITRE’s Jason report, “Rare Events” (October 2009). 7

Lyle Brecht

Draft 1.1

Thursday, December 3, 2009





Page 5 of 6

T H I N K I N G S T R AT E G I C A L LY A B O U T N AT I O N A L I N T E L L I G E N C E

drought year is much higher than if I was on a Gaussian curve. The joke in the water supply business is that it appears a 100-year drought now occurs every 20-60 years, rather than every 100-years. (e) What I am getting at is that once a ʻrare eventʼ occurs in reality, it reflexively changes the distribution curve. The old curve no longer stands, assuming that learning can occur (e.g. its not about the (p) of an asteroid striking the earth). (f) Thus, I would recommend that the (p) of a 3-sigma terrorist event occurring w/in the 10years following 9/11 is actually much higher than pre-9/11. There are two gottchaʼs for this more probable ʻrare eventʼ however: (1) the rare event may be so different than a 9/11-type event, that we may not recognize it at first as a terrorist ʻrare eventʼ (I am thinking, for example, of a human-induced cascading failure of our cyber-network, etc. that does not kill people, but destroys GDP potential of the nation); and (2) the probability of a rare event occurring via malicious intent my be much lower than that of a similar rare event occurring due to systemic structural causes that may not be malicious, but accidental, due to inadequate O&M and R&R or chance occurrence that brings the system to a collapse state. (g) In fact, I contend that capital spent planning for the rare event may produce a better EROIC (economic return on invested capital) focusing on structural system vulnerabilities than primarily on identification and apprehension before-the-fact of malicious human actors. That is, spending capital to improve system resilience should a rare event occur, may produce greater benefit than attempting to thwart and anticipate all rare event threats where human actors have both intent and capacity to adversely disrupt the system state under consideration.

Lyle Brecht

Draft 1.1

Thursday, December 3, 2009





Page 6 of 6

Related Documents