Parnell%Ezell
advertisement
National Security Risk Analysis Dr. Greg Parnell Professor of Systems Engineering Department of Systems Engineering United States Military Academy at West Point gregory.parnell@usma.edu & Senior Principal, Innovative Decisions Inc. gparnell@innovativedecisions.com Disclaimer The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Army, the Department of Defense, Innovative Decisions, Inc., the National Research Council, or the Department of Homeland Security. 2 Agenda • What is our U.S. National Security Strategy? • What are the sources of national security risk? • How do natural hazards and intelligent adversaries differ? • Are natural hazard risk analysis techniques appropriate for intelligent adversaries? • Can we model and use terrorist values and objectives? • How should we analyze the risk of attacks from intelligent adversaries? • What knowledge should a national security risk analyst team have? 3 U.S. National Security Strategy Protect National Security and Lay Foundation for Future Peace Protect U.S., allies, and interests Prevent WMD Threats Increase Regional Security Promote Democracies Champion Human Dignity Promote Economic Growth Promote Free Markets and Trade Achieve Benefits of Globalization Defeat Global Terrorism Source: National Security Strategy of the United States, March 2006 4 Agenda • What is our U.S. National Security Strategy? • What are the sources of national security risk? • How do natural hazards and intelligent adversaries differ? • Are natural hazard risk analysis techniques appropriate for intelligent adversaries? • Can we model and use terrorist values and objectives? • How should we analyze the risk of attacks from intelligent adversaries? • What knowledge should a national security risk analyst team have? 5 Risk of WMD in the National Security Strategy. • Protect our enemies from threatening us, our allies, and our friends with WMD. – “the greater the threat, the greater the risk of inaction” – “Biological weapons pose a grave WMD threat because of the risk of contagion that would spread disease across large populations and around the globe” The National Security Strategy of the United States of America, The White House, March 2006 6 Risk terms (threat, vulnerability, and consequences) are used frequently. • Threats (42) – WMD (Nuclear, Biological, and Chemical) – Global Terrorism – Opportunistic aggression (regional security) – Pandemic • Vulnerability (1) – DHS is “focused on three national security objectives: preventing terrorist attacks within the U.S.; reducing America’s vulnerability to terrorism; and minimizing the damage and facilitating the recovery from attacks that do occur” • Consequences (7) – Proactive counterproliferation efforts and improved protection to mitigate consequences of WMD use – When the consequences of an attack with WMD are potentially so devastating, we cannot afford to stand idly by as grave dangers materialize. 7 The National Security Strategy of the United States of America, The White House, March 2006 Agenda • What is our U.S. National Security Strategy? • What are the sources of national security risk? • How do natural hazards and intelligent adversaries differ? • Are natural hazard risk analysis techniques appropriate for intelligent adversaries? • Can we model and use terrorist values and objectives? • How should we analyze the risk of attacks from intelligent adversaries? • What knowledge should a national security risk analyst team have? 8 Intelligent adversary (terrorism) risks are different than natural hazards. Natural Hazards Intelligent Adversaries Terrorism Information Security Some historical data: Record of several extreme events already occurred. Very limited historical data: 9/11 events were the first foreign terrorist attacks worldwide with such a huge concentration of victims and damages. Extensive historical data for existing systems Information systems are under continuous attack. Difficult to predict attacks for new system designs. Risk of Occurrence Risk reasonably well-specified: Well-developed models for estimating risks based on historical data and experts’ estimates. Considerable ambiguity of risk: Terrorists can purposefully adapt their strategy (target, weapons, time) depending on their information on vulnerabilities. Attribution may be difficult (e.g. anthrax attacks) Ambiguity of risk: Attackers can access data not known to users or information security specialists. Attribution difficult. Geographic Risk Specific areas at risk: Some geographical areas are well known for being at risk (e.g., California for earthquakes or Florida for hurricanes). All areas at risk: Some cities may be considered riskier than others (e.g., New York City, Washington), but terrorists may attack anywhere, any time. All areas at risk: Internet provides connectivity for attackers as well as user. Information security only as good as weakest link. Information Information sharing: New scientific knowledge on natural hazards can be shared with all the stakeholders. Asymmetry of information: Governments sometimes keep secret new information on terrorism for national security reasons. Some sharing but strong incentives not to share. Organizations have incentives to keep confidential attacks to avoid loss of customer confidence. Event Type Natural event: To date no one can influence the occurrence of an extreme natural event (e.g., an earthquake). Intelligent adversary events: Governments may be able to influence terrorism (e.g., foreign policy; international cooperation; national and homeland security measures). Intelligent adversary events: Governments can influence, some international cooperation and national measures. Government and insureds can invest in well-known mitigation measures. Weapons types are numerous. Federal agencies may be in a better position to develop more efficient global mitigation programs. Attacks are numerous and growing in sophistication. Historical Data Preparedness and Prevention • Modified form Kunreuther, H. and Michel-Kerjan, E (2005), “Insuring (Mega)-Terrorism: Challenges and Perspectives”, in OECD, Terrorism Risk Insurance in OECD Countries, July (modified first two columns and added third column). • Parnell, G. S., Dillon-Merrill, R. L., and Bresnick, T. A., 2005, Integrating Risk Management with Homeland Security and Antiterrorism Resource Allocation Decision-Making, The McGraw-Hill Handbook of Homeland Security, David Kamien, Editor, pp. 431-461 9 Agenda • What is our U.S. National Security Strategy? • What are the sources of national security risk? • How do natural hazards and intelligent adversaries differ? • Are natural hazard risk analysis techniques appropriate for intelligent adversaries? • Can we model and use terrorist values and objectives? • How should we analyze the risk of attacks from intelligent adversaries? • What knowledge should a national security risk analyst team have? 10 Some key questions for risk analysis of the threat of WMD. • • • • Purpose – Who uses the risk assessment? – What do they use the risk assessment for? – How does it support risk management? Data collection – Who are the subject matter experts (SMEs)? – Can we access the SMEs? – What are the terrorist objectives? – What are the agent/weapon threats? – How do we deal with asymmetry of threat information? Modeling – Are natural hazard techniques (e.g., event trees) appropriate for intelligent adversaries? – What can we learn for information assurance risk analysis? – Are other techniques available? – Should terrorist decisions be model inputs or outputs? – Who provides the probabilities? – How do we assess the probabilities? – What consequences should be considered? – How do we model the consequences? Presentation – How should we present the risk to decision makers and stakeholders? 11 Decision tree calculations with notional data. A Consequences [50] B Consequences [30] Attack [50] Attack Success 50% Attack Failure 50% Attack Success 60% Attack Failure 40% [100] 100 [0] 0 [50] 50 [0] 0 An intelligent adversary trying to maximize consequences would select Attack A. 12 A canonical intelligent adversary problem to compare risk analysis techniques. • Adversary attack (terrorist) – Select target – Select biological agent, nuclear weapon, chemical agent – Acquire, deploy, and employ agent/weapon • Event Tree Decision Tree Attack Attack Consequences Consequences Consequences – Attack success or failure • Detection • Interdiction • Vulnerability – Consequences given attack • Consequence management Colleagues Howard Kunruether and Tony Cox contributed to this formulation. 13 Event tree calculations with notional data. Attack [32] A 10% B 90% Consequences [50] Consequences [30] Attack Success 50% Attack Failure 50% Attack Success 60% Attack Failure 40% [100] 100 [0] 0 [50] 50 [0] 0 Attack B contributes 84% of the risk. 14 Mission Oriented Risk and Decision Analysis (MORDA) supports the information assurance design process. MORDA PROCESS Adversaries Adversaries Hardware & Software System Lifecycle User Mission Support Needs Mission Support & Service Provider Models Design Options Evaluate Design Adversary Attack Model SOCRATES Model Select Design Integration & Analysis Model Develop, Integrate, & Deploy Operations & Maintenance Risk Assessment Attack trees Risk Management Multiple objective decision analysis • Attacker • Mission Support • Service Providers Optimization and Cost/Benefit Analysis • Countermeasure design options Buckshaw, D. L., Parnell, G. S., Unkenholz, W. L., Parks, D. L., Wallner, J. M. and Saydjari, O. S., “Mission Oriented Risk and Design Analysis of Critical Information Systems,” Military Operations Research, 2005,Vol 10, No 2, pp. 19-38. 15 Agenda • What is our U.S. National Security Strategy? • What are the sources of national security risk? • How do natural hazards vs. intelligent adversaries differ? • Are natural hazard risk analysis techniques appropriate for intelligent adversaries? • Can we model and use terrorist values and objectives? • How should we analyze the risk of attacks from intelligent adversaries? • What knowledge should a national security risk analyst team have? 16 Terrorist Acts Suspected of or Inspired by al-Qaeda 1993 (Feb.): Bombing of World Trade Center (WTC); 6 killed. 1993 (Oct.): Killing of U.S. soldiers in Somalia. 1996 (June): Truck bombing at Khobar Towers barracks in Dhahran, Saudi Arabia, killed 19 Americans. 1998 (Aug.): Bombing of U.S. embassies in Kenya and Tanzania; 224 killed, including 12 Americans. 1999 (Dec.): Plot to bomb millennium celebrations in Seattle foiled when customs agents arrest an Algerian smuggling explosives into the U.S. 2000 (Oct.): Bombing of the USS Cole in port in Yemen; 17 U.S. sailors killed. 2001 (Sept.): Destruction of WTC; attack on Pentagon. Total dead 2,992. 2001 (Dec.): Man tried to denote shoe bomb on flight from Paris to Miami. 2002 (April): Explosion at historic synagogue in Tunisia left 21 dead, including 11 German tourists. 2002 (May): Car exploded outside hotel in Karachi, Pakistan, killing 14, including 11 French citizens. 2002 (June): Bomb exploded outside American consulate in Karachi, Pakistan, killing 12. 2002 (Oct.): Boat crashed into oil tanker off Yemen coast, killing 1. 2002 (Oct.): Nightclub bombings in Bali, Indonesia, killed 202, mostly Australian citizens. 2002 (Nov.): Suicide attack on a hotel in Mombasa, Kenya, killed 16. 2003 (May): Suicide bombers killed 34, including 8 Americans, at housing compounds for Westerners in Riyadh, Saudi Arabia. 2003 (May): 4 bombs killed 33 people targeting Jewish, Spanish, and Belgian sites in Casablanca, Morocco. 2003 (Aug.): Suicide car-bomb killed 12, injured 150 at Marriott Hotel in Jakarta, Indonesia. 2003 (Nov.): Explosions rocked a Riyadh, Saudi Arabia, housing compound, killing 17. 2003 (Nov.): Suicide car-bombers simultaneously attacked 2 synagogues in Istanbul, Turkey, killing 25 and injuring hundreds. 2003 (Nov.): Truck bombs detonated at London bank and British consulate in Istanbul, Turkey, killing 26. 2004 (March): 10 bombs on 4 trains exploded almost simultaneously during the morning rush hour in Madrid, Spain, killing 191 and injuring more than 1,500. 2004 (May): Terrorists attacked Saudi oil company offices in Khobar, Saudi Arabia, killing 22. 2004 (June): Terrorists kidnapped and executed American Paul Johnson, Jr., in Riyadh, Saudi Arabia. 2004 (Sept.): Car bomb outside the Australian embassy in Jakarta, Indonesia, killed 9. 2004 (Dec.): Terrorists entered the U.S. Consulate in Jeddah, Saudi Arabia, killing 9 (including 4 attackers). 2005 (July): Bombs exploded on 3 trains and a bus in London, England, killing 52. 2005 (Oct.): 22 killed by 3 suicide bombs in Bali, Indonesia. 2005 (Nov.): 57 killed at 3 American hotels in Amman, Jordan. 2006 (Aug.): More than 25 arrested in plot to blow up jetliners between London and U.S http://www.infoplease.com/ipa/A0884893.html Global Incident Map http://www.globalincidentmap.com/home.php Terrorism Knowledge Database www.tkb.org/home.jsp 17 Characteristics of Past Al-Qaeda attacks • Focus on strategy – U.S. and our allies • Seek high consequences • Meticulous planning to maximize probability of success • Execute multiple attacks • Suicide attacks 18 “the attacks benefited Islam greatly…" • Expected Outcome: "I was thinking that the fire from the gas in the plane would melt the iron structure of the building and collapse the area where the plane hit and all the floors above it only. This is all that we had hoped for." • http://www.cnn.com/video/us/2001/ 12/13/bin.laden.high.cnn.med.asx 19 Can we model terrorism (Al-Qaeda) values and objectives? • Is Al-Qaeda rational? • Al-Qaeda’s objectives (911 Commission) – Elimination of foreign influence in Muslim countries – Eradication of those deemed to be "infidels“ – Elimination of Israel – Creation of a new Islamic caliphate – Remove ‘infidels’ from Middle East • Principal stated aims (http://www.infoplease.com/spot/al-qaeda-terrorism.html) – Drive Americans and American influence out of all Muslim nations, especially Saudi Arabia – Destroy Israel – Topple pro-Western dictatorships around the Middle East – Unite all Muslims and establish, by force if necessary, an Islamic nation adhering to the rule of the first Caliphs. 20 Al-Qaeda Training Manual focuses on strategy, operations, and tactics. Page 14 Page 15 http://www.usdoj.gov/ag/manualpart1_1.pdf http://www.fas.org/irp/world/para/aqmanual.pdf 21 Agenda • What is our U.S. National Security Strategy? • What are the sources of national security risk? • How do natural hazards and intelligent adversaries differ? • Are natural hazard risk analysis techniques appropriate for intelligent adversaries? • Can we model and use terrorist values and objectives? • How should we analyze the risk of attacks from intelligent adversaries? • What knowledge should a national security risk analyst team have? 22 There are many national security risk analysis decision makers and stakeholders. National Strategic State Local Private Citizens Our Focus Operational Tactical 23 Several modeling decisions must be made to provide effective risk analyses that support national homeland security decision-makers. Run time Model complexity Frequency Terrorist of attacks Decisions US Decisions Uncertain Events Consequences Combining Consequences 24 Source: Discussions with colleagues on NRC Committee Several modeling decisions must be made to provide effective risk analyses that support national homeland security decision-makers. Run time Frequency Terrorist of attacks Decisions Ignore Scenarios Scenarios Not modeled developed for best Time until Probability Probability Deterministic available national first attack distributions distributions (parameter) Decision Decision made to made to Probability maximize maximize distribution some some objective(s) objective(s) Model complexity US Decisions Uncertain Events Consequences Combining Consequences Transparent, Real-time simple models (Minutes) tailored to available Mortality Not combined data Use meta-models Hours Morbidity Convert to dollars models Distributed Days modeling using Multiple best available attacks national models Black box with Game theory models unverified, and distributions on unaccredited value function Psychological Combined with utility function probabilities models Months Combined with Probability unvalidated, Weeks Economic Attacker-Defender models Environmental 25 Source: Discussions with colleagues on NRC Committee Red teaming or seminar games can provide very important insights. Run time Frequency Terrorist of attacks Decisions Ignore Scenarios Scenarios Not modeled developed for best Time until Probability Probability Deterministic available national first attack distributions distributions (parameter) Decision Decision made to made to Probability maximize maximize distribution some some objective(s) objective(s) Model complexity US Decisions Uncertain Events Consequences Combining Consequences Transparent, Real-time simple models (Minutes) tailored to available Mortality Not combined data Use meta-models Hours Morbidity Convert to dollars models Distributed Days modeling using Multiple best available attacks national models Black box with unvalidated, Weeks unverified, and Combined with value function Probability Game theory models distributions on unaccredited Psychological Combined with utility function probabilities models Months Economic Attacker-Defender models Environmental 26 Red Teaming ~ Structured Qualitative Inquiry ~ • Detailed study plan (vignette, data collection plan, clearly identified study issues, elements of analysis) – scenario, moves, counter moves – assessments • World class Red and Blue experts • Expert study director, skilled in facilitation • Transparence: data collection observations findings conclusions Objective: Is our analysis framework robust enough to capture potential actions of intelligent adversaries? 27 Three adversary risk analysis modeling techniques. • Terrorist decision tree • Game theory • Attacker-Defender models 28 Game theory and risk analysis. Run time Frequency Terrorist of attacks Decisions Ignore Scenarios Scenarios Not modeled developed for best Time until Probability Probability Deterministic available national first attack distributions distributions (parameter) Decision Decision made to made to Probability maximize maximize distribution some some Expected value objective(s) objective(s) Model complexity US Decisions Uncertain Events Consequences Combining Consequences Transparent, Real-time simple models (Minutes) tailored to available Mortality Not combined data Use meta-models Hours Morbidity Convert to dollars models Distributed Days modeling using Multiple best available attacks national models Black box with unvalidated, Weeks unverified, and Combined with value function Probability Game theory models distributions on unaccredited Psychological Combined with utility function probabilities models Months Economic Attacker-Defender models Environmental 29 Combining game theory and risk analysis. No Attack Single Attack Multiple attack Stockpile C11 C12 C13 Stockpile + Biosurveillance C21 C22 C33 Stockpile+ Biosurveillance + Key personnel C31 C32 C33 Everyone C41 C42 C43 Banks, D. and Anderson, S. (2006). "Game Theory and Risk Analysis in the Context of the Smallpox Threat," in Statistical Methods in Counterterrorism, ed. A. Wilson, G. Wilson, and D. Olwell, Springer-Verlag, NY, pp. 9-22. Vicki Bier, “Choosing What to Protect”, http://www.usc.edu/dept/create/assets/001/50760.pdf 30 Attacker-Defender Models. Run time Frequency Terrorist of attacks Decisions Ignore Scenarios Scenarios Not modeled developed for best Time until Probability Probability Deterministic available national first attack distributions distributions (parameter) Decision Decision made to made to Probability maximize maximize distribution some some Expected value objective(s) objective(s) Model complexity US Decisions Uncertain Events Consequences Combining Consequences Transparent, Real-time simple models (Minutes) tailored to available Mortality Not combined data Use meta-models Hours Morbidity Convert to dollars models Distributed Days modeling using Multiple best available attacks national models Black box with unvalidated, Weeks unverified, and Combined with value function Probability Game theory models distributions on unaccredited Psychological Combined with utility function probabilities models Months Economic Attacker-Defender models Environmental 31 Attacker-Defender is a bi-level program (optimization) and type of Stackelberg game. Brown, G., Carlyle, M., Salmerón, J. and Wood, K., 2006, "Defending Critical Infrastructure ," Interfaces , 36, pp. 530-544. 32 Multiobjective decision analysis with decision tree/influence diagram. Run time Frequency Terrorist of attacks Decisions Ignore Scenarios Scenarios Not modeled developed for best Time until Probability Probability Deterministic available national first attack distributions distributions (parameter) Decision Decision made to made to Probability maximize maximize distribution some some objective(s) objective(s) Model complexity US Decisions Uncertain Events Consequences Combining Consequences Transparent, Real-time simple models (Minutes) tailored to available Mortality Not combined data Use meta-models Hours Morbidity Convert to dollars models Distributed Days modeling using Multiple best available attacks national models Black box with unvalidated, Weeks unverified, and Combined with value function Probability Game theory models distributions on unaccredited Psychological Combined with utility function probabilities models Months Economic Attacker-Defender models Environmental 33 Multiobjective decision analysis with decision tree/influence diagram. Deaths Mitigation Effectiveness Terrorist Influence Diagram Max Deaths W eight Deaths Bioterrorism Target Bioterrorism Agent Acquire Agent Obtain Agent Attack Success Terrorist Value Detect Pre-attack W eight Economic Impact Economic Impact Max Economic Impact Parnell, G. S., Multi-objective Decision Analysis, Wiley Handbook of Science & Technology For Homeland Security, John G Voeller, Editor, Forthcoming 2007 34 Multiobjective decision analysis with decision tree/influence diagram. Location_X Bioterrorism_Target [0.0474138] Bioterrorism_Agent [0.023709] Agent_A Acquire_Agent [0.0353835] Agent_B Acquire_Agent [0.03008] Yes [0] .400 0 No Bioterrorism_Agent Location_Y [0.0474138] Agent_C Acquire_Agent [0.0474138] Produce .300 Detect_Pre_attack [0.0474138] No .600 0 Not_successful Obtain_Agent [0.079023] Yes .700 Procure [0] Attack_Success [0.11289] [0] .250 Low 0 [0.10003] .500 High 0.10003 [0.2515] .250 0.2515 Detect_Pre_attack [0.0406404] Parnell, G. S., Multi-objective Decision Analysis, Wiley Handbook of Science & Technology For Homeland Security, John G. Voeller, Editor, Forthcoming 2007 • Paté-Cornell, M.E. and S.D. Guikema. 2002. “Probabilistic Modeling or Terrorist Threats: A Systems Analysis Approach to Setting Priorities Among Countermeasures,” Military Operations Research, Vol. 7, No. 4, pp. 5-23. • von Winterfeldt and Terrence M. O’Sullivan, A Decision Analysis to Evaluate the Cost-Effectiveness of MANPADS Countermeasures, Decision Analysis, Vol 3, No 2, June 2006, pp. 63-75. 35 Agenda • What is our U.S. National Security Strategy? • What are the sources of national security risk? • How do natural hazards and intelligent adversaries differ? • Are natural hazard risk analysis techniques appropriate for intelligent adversaries? • Can we model and use terrorist values and objectives? • How should we analyze the risk of attacks from intelligent adversaries? • What knowledge should a national security risk analyst team have? 36 What knowledge should a WMD risk analyst team have? Intelligent adversaries • • • • Decision analysis Game theory Attacker-Defender models Risk analysis – Consequence models • Red teams • Wargaming Analysis techniques • Strategy • Objectives • Tactics Technologies • • Access to “world class” experts is critical. Threat – Conventional – WMD (CBRN) Technologies for risk management 37 Summary • • • • • • • What is our U.S. National Security Strategy? – Protect against WMD, especially bioterrorism. What are the sources of national security risk? – WMD, especially bioterrorism. How do natural hazards and intelligent adversaries differ? – Natural hazard data exist; intelligent adversaries are adaptive and dynamic. Are natural hazard risk analysis techniques appropriate for intelligent adversaries? – But some techniques can be used. – New techniques are needed. Can we model and use terrorist values and objectives? – Yes. How should we analyze the risk of attacks from intelligent adversaries? – Will require the design of new approaches. What knowledge should a national security risk analyst team have? – Will require learning adversary strategies, new techniques, new technologies, and communications will very diverse stakeholders. 38
