Published by The Lawfare Institute
in Cooperation With
Almost everything we think we know about homeland security is outdated.
If the lessons of Paris (twice), Brussels, San Bernardino, Orlando, Istanbul (just yesterday), Sony, the Sands Hotel, and the Ukrainian electric grid tell us anything, they tell us that our doctrine of homeland security (such as it is) needs urgent revision. In this post I want to unpack the idea of homeland security doctrine and explain why it is in such a state of disrepair. [As will be clear as we go along, my inclusion of Orlando in the list above is not essential to the ideas expressed – even if you are one of those who thinks that the killings at the Pulse were the product of anti-gay animus the conclusions offered below remain, I think, relevant.]
Brother Can You Paradigm?
To begin with homeland security (the activity, not the department) does not have the benefit of having been developed with a robust theoretical foundation for practice. In this it differs substantially from its nearest analog, the concept of national defense. While military doctrines may be right or wrong in varying degrees, there are ample theoretical foundations for warfare, many of which have withstood the test of time in their implementation. Most ever military leader around the globe will have read Sun Tzu and Clausewitz. In more recent years they may also have read Mao’s writings on guerrilla warfare. While their concepts of practical application may often differ at the bottom there is a core theory of how warfare works and therefore of how best to practice the discipline.
By contrast homeland security was a discipline created in crisis. The first Secretary of DHS, Tom Ridge, likened the exercise to finishing the construction of an airplane while in flight. And many doubt that homeland security is a separate discipline at all – seeing it only as an agglomeration of marginally related tasks such as border security, immigration and customs control, natural disaster recovery, and the like. As such it did not have the benefit of any pre-existing doctrinal foundation on which to build its policy and practice. Rather, the homeland security enterprise (such as it is) began as little more than an accumulation of activities with no theoretical underpinnings.
Homeland Security Doctrine 1.0
But military doctrine did not spring full-blown from the head of Clausewitz as the product of his own ratiocination. The doctrines he (and others) advance were the product of the study of practice – intended to identify from the reality of war a theory of what works and what doesn’t. Recognizing this, and with necessity being the mother of invention, in the mid-2000s we began a project to derive from our own practice the doctrine of homeland security. The project never got very far – it lacked both funding and the time and attention necessary for its success. But, as I recall, our first cut was able to identify three basic doctrinal principles that, we inferred, were either explicitly or implicitly guiding our operational activities. At that time (roughly 2007 or so) it seemed that homeland security revolved around these three ideas:
- Push the borders out – move as much of the border screening function as feasible to overseas locations;
- Layered defense – independent layers with a low chance of success combine to increase security with a higher degree of certainty; and
- Risk based allocation of resources – put resources to preventing the greatest risks first.
You can see the effects of these principles in many of the policies that that were adopted in the early years after 9/11. America increasingly deployed government staff overseas and tried to conduct our screenings as far away from the borders as possible. That’s why, today, DHS has more civilian overseas staff than any Federal agency save the Department of State. It’s the insight that lies behind cargo screening, for example, at foreign ports.
Likewise, the layered defense idea is easy to see expressed in, for example, our aviation security system. TSA at the airport entry, plus hardened cockpit doors, plus federal air marshals, and other systems. Each individually might not be fully effective, but in combination the theory suggests they work well.
One can also see how risk calculus drove resource allocation. The threat of nuclear weapons was so consequential that we now screen all arriving trucks at ports of entry for radiation – an effort that required the investment of billions of dollars.
The combination of these three doctrinal insights also drove our tactic of interdiction. Fundamentally, the homeland security enterprise sought to prevent terrorism within the United States by:
- Interdicting Terrorist Travel – hence the focus on passenger name record screening, new biometric passports and similar systems;
- Intercepting Terrorist Communications – hence the Section 702 program and enhanced SIGNIT efforts; and
- Interdicting Terrorist Financing – hence the SWIFT terror financing program and new banking rules like “know your customer” and suspicious activity reporting.
The theory, at least was that if we could stop terrorists from travelling to the US; prevent them from getting funding if they did travel; and monitor their communications to identify plots before they happened then the security of the homeland would increase.
Buried in this doctrine, however, were two underlying assumptions – assumptions that were in my view accurate approximations of reality, at the time. The first assumption was that the threat to the homeland stemmed from overseas – the model was of terrorists leaving from the Af/Pak or Iran/Iraq area of conflict and transiting (often through Europe) to the United States. The second assumption was that the foreign born terrorist was intent on attacking spectacular targets – airline takedowns, for example, or nuclear attacks on American cities.
Homeland Threats Morphed
For their time these assumptions were relatively accurate approximations of what the enemy looked like. The problem is that today those assumptions no longer hold. Yet our homeland doctrine remains (with one exception noted below) more or less unchanged. That mismatch between doctrine and reality cannot be sustained in the long run.
Before being overly critical of the doctrine today it is worth pausing to consider the relative success of the earlier doctrine. To a large degree the threat that it addressed – offshore terrorists seeking to conduct catastrophic physical attacks in the United States – has been avoided for nearly 15 years. Some of that was luck, to be sure, but much of it was the residue of good planning. It isn’t a coincidence, I think, that successful aviation attacks have occurred in areas of the world where security measures were less concerted and more chaotic. In many ways then, the fact that the adversary has adapted and changed tactics is a sign of success – our preventative steps have required them to seek to advance their objectives elsewhere.
That having been said, their tactics are changing. Consider first the assumption of the overseas nature of the threat – it is breaking down in two distinct ways.
On the one hand many of the threats from offshore no longer need to cross borders to have effects here in the United States. The change in the dynamic of cyber conflict allowing action at a distance puts threat actors beyond the reach of US law. More importantly, it renders the current structural system of border controls in the kinetic space much less relevant. In short, all harms are no longer kinetic – a significant change from 10 years ago.
Likewise, our assumption that malicious actors will have to physical transit to the United States to do kinetic harm is breaking down. We have seen a growth in what looks like domestic radicalization – those who are already present in the United States taking up a cause after (often long after) arriving in this country. In Europe they have also seen an upsurge in that sort of radicalization, though there it is sometimes conjoined with foreign travel for training. So, the idea that physical threats are exclusively or principally extraterritorial is no longer as robust as it was.
Second, and more surprisingly from my perspective, we see that our adversaries have more or less given up on the notion of grandeur. Where before they seemed focused on spectacular attacks on iconic infrastructure the terrorists today seem content to assault every-day locations – cafes in Paris; parties in San Bernardino; and clubs in Orlando.
The break down in assumptions in turn means that virtually none of our doctrine fits any longer. Pushing the borders out is useless when borders don’t matter. Focusing on preventing significant and high-consequence events is wrong if the targets now are the stuff of common, daily life. And if everything is now a potential target, we can’t afford layers of defense – given our resources we can barely afford a single layer of questionable effectiveness (like the bouncer at the club or the security guard at the mall).
Homeland Doctrine 2.0
So what does this mean? To be honest, the answer is not clear – I am much more certain that the current construct is incomplete than I am that the next steps are identifiable. Nonetheless, problems without proposed solutions are just complaints so herewith a few thoughts:
First, these changes mean that homeland security begins at home. In the earlier iteration our focus on pushing the borders out gave homeland security a distinctly over-seas focus. Now our preventative efforts need, I think, to be more inward looking.
That, of course, is deeply problematic – there is much dispute about how one can conduct domestic homeland security in a manner compatible with civil liberties. I don’t propose to resolve that tension now – but I do mean to suggest that the urgency of resolving it is much greater now than in the past. It used to be that we could comfortably rest our counter-terrorism efforts on the US Person distinction. That is no longer the case. While domestic surveillance will have to be part of the answer, the changing circumstances suggest a renewed effort by society to counter the message of violent extremism through non-surveillance means.
Second, we must modernize our interdiction efforts. Our tactics of interdiction as currently structured don’t suffice. Without a physical travel requirement, the travel interdiction is unnecessary. Likewise, for smaller-bore attacks like in Orlando, funding becomes almost trivial. And now, instead of interdicting operational planning messages we are either required to stop incoming cyber attacks or to stop radicalizing propaganda – both of which are much difficult than monitoring communications. Again, to state the problem is not to solve it – but we need to recognize that a “radicalize in place” propaganda machine is trying to drive conduct and that defending against that threat is deeply confounding in a society that values free expression. Part of the response will be developing a counter-narrative for use domestically, but I suspect that part of the effort will also involve overseas acts intended to suppress terrorist speech at their sources.
Third, we need to define and defend a borderless cyber domain. Again, easier said than done – nobody wants a Great American Firewall. And most of the transit of this new cyber border happens on private networks and systems that are operated by the private sector. This is the one area where we can already see the doctrinal transition happening with some clarity. The Obama Administration has developed and begun the deployment of a supportive, standards-based cybersecurity structure. That structure may or may not be the “best” answer – but the new doctrine that “cyber is part of the homeland” has some significant resonance.
Finally, as the type of attack morphs, the prospect of stopping them all from succeeding begins to asymptotically approach zero. We used to say that successful attacks were inevitable. Now we are seeing the reality of that prospect – and it isn’t a pretty one; nor is it one that the American public will accept gladly. And yet they must, so the last part of the new doctrine might be: prepare to fail; stress resiliency.
Here is something relatively new. If you look at the practice of homeland security today, the dominant part of the effort focuses on prevention – we ask “how can we stop another Orlando?” That’s not the “wrong” question per se. If we spot gaps it is good to plug them. But the grim reality is that we can no longer expect to succeed in preventing terrorism – so we must develop tactics to minimize its effects (new active shooter protocols) and recover from it quickly (e.g. quicker emergency response systems).
I apologize if that’s a depressing way to end the essay. But it is the reality we face. Indeed, you may disagree with some of the broad prescriptions I’ve offered – but it seems to me ineluctable that the homeland security threat is changing and that our doctrine must change with it.