Dr. Greg Parnell Professor of Systems Engineering Department of Systems Engineering United States...
-
Upload
diana-weber -
Category
Documents
-
view
214 -
download
1
Transcript of Dr. Greg Parnell Professor of Systems Engineering Department of Systems Engineering United States...
Dr. Greg ParnellProfessor of Systems Engineering
Department of Systems Engineering United States Military Academy at West Point
Senior Principal, Innovative Decisions [email protected]
National Security Risk Analysis
2
Disclaimer
The views expressed in this presentation are
those of the author and do not reflect the official
policy or position of the United States Army, the
Department of Defense, Innovative Decisions,
Inc., the National Research Council, or the
Department of Homeland Security.
3
Agenda
• What is our U.S. National Security Strategy?
• What are the sources of national security risk?
• How do natural hazards and intelligent adversaries differ?
• Are natural hazard risk analysis techniques appropriate for intelligent adversaries?
• Can we model and use terrorist values and objectives?
• How should we analyze the risk of attacks from intelligent adversaries?
• What knowledge should a national security risk analyst team have?
4
U.S. National Security Strategy
Champion Human Dignity
Increase Regional Security
Promote Economic Growth
Promote Democracies
Protect U.S., allies, and interests
Defeat Global
Terrorism
Prevent WMD
Threats
Promote Free Markets and Trade
Achieve Benefits of
Globalization
Protect National Security and Lay
Foundation for Future Peace
Source: National Security Strategy of the United States, March 2006
5
Agenda
• What is our U.S. National Security Strategy?
• What are the sources of national security risk?
• How do natural hazards and intelligent adversaries differ?
• Are natural hazard risk analysis techniques appropriate for intelligent adversaries?
• Can we model and use terrorist values and objectives?
• How should we analyze the risk of attacks from intelligent adversaries?
• What knowledge should a national security risk analyst team have?
6
Risk of WMD in the National Security Strategy.
• Protect our enemies from threatening us, our allies, and our friends with WMD. – “the greater the threat, the greater the risk
of inaction”– “Biological weapons pose a grave WMD
threat because of the risk of contagion that would spread disease across large populations and around the globe”
The National Security Strategy of the United States of America, The White House, March 2006
7
Risk terms (threat, vulnerability, and consequences) are used frequently.
• Threats (42)– WMD (Nuclear, Biological, and Chemical)– Global Terrorism– Opportunistic aggression (regional security)– Pandemic
• Vulnerability (1)– DHS is “focused on three national security objectives:
preventing terrorist attacks within the U.S.; reducing America’s vulnerability to terrorism; and minimizing the damage and facilitating the recovery from attacks that do occur”
• Consequences (7)– Proactive counterproliferation efforts and improved protection to
mitigate consequences of WMD use– When the consequences of an attack with WMD are potentially
so devastating, we cannot afford to stand idly by as grave dangers materialize.
The National Security Strategy of the United States of America, The White House, March 2006
8
Agenda
• What is our U.S. National Security Strategy?
• What are the sources of national security risk?
• How do natural hazards and intelligent adversaries differ?
• Are natural hazard risk analysis techniques appropriate for intelligent adversaries?
• Can we model and use terrorist values and objectives?
• How should we analyze the risk of attacks from intelligent adversaries?
• What knowledge should a national security risk analyst team have?
9
Intelligent adversary (terrorism) risks are different than natural hazards.
Natural HazardsIntelligent Adversaries
Terrorism Information Security
Historical Data
Some historical data:Record of several extreme events already occurred.
Very limited historical data:9/11 events were the first foreign terrorist attacks worldwide with such a huge concentration of victims and damages.
Extensive historical data for existing systemsInformation systems are under continuous attack. Difficult to predict attacks for new system designs.
Risk of Occurrence
Risk reasonably well-specified: Well-developed models for estimating risks based on historical data and experts’ estimates.
Considerable ambiguity of risk: Terrorists can purposefully adapt their strategy (target, weapons, time) depending on their information on vulnerabilities. Attribution may be difficult (e.g. anthrax attacks)
Ambiguity of risk: Attackers can access data not known to users or information security specialists. Attribution difficult.
Geographic Risk
Specific areas at risk: Some geographical areas are well known for being at risk (e.g., California for earthquakes or Florida for hurricanes).
All areas at risk: Some cities may be considered riskier than others (e.g., New York City, Washington), but terrorists may attack anywhere, any time.
All areas at risk: Internet provides connectivity for attackers as well as user. Information security only as good as weakest link.
Information Information sharing: New scientific knowledge on natural hazards can be shared with all the stakeholders.
Asymmetry of information: Governments sometimes keep secret new information on terrorism for national security reasons.
Some sharing but strong incentives not to share. Organizations have incentives to keep confidential attacks to avoid loss of customer confidence.
Event Type Natural event: To date no one can influence the occurrence of an extreme natural event (e.g., an earthquake).
Intelligent adversary events: Governments may be able to influence terrorism (e.g., foreign policy; international cooperation; national and homeland security measures).
Intelligent adversary events: Governments can influence, some international cooperation and national measures.
Preparedness and
Prevention
Government and insureds can invest in well-known mitigation measures.
Weapons types are numerous. Federal agencies may be in a better position to develop more efficient global mitigation programs.
Attacks are numerous and growing in sophistication.
• Modified form Kunreuther, H. and Michel-Kerjan, E (2005), “Insuring (Mega)-Terrorism: Challenges and Perspectives”, in OECD, Terrorism Risk Insurance in OECD Countries, July (modified first two columns and added third column).• Parnell, G. S., Dillon-Merrill, R. L., and Bresnick, T. A., 2005, Integrating Risk Management with Homeland Security and Antiterrorism Resource Allocation Decision-Making, The McGraw-Hill Handbook of Homeland Security, David Kamien, Editor, pp. 431-461
10
Agenda
• What is our U.S. National Security Strategy?
• What are the sources of national security risk?
• How do natural hazards and intelligent adversaries differ?
• Are natural hazard risk analysis techniques appropriate for intelligent adversaries?
• Can we model and use terrorist values and objectives?
• How should we analyze the risk of attacks from intelligent adversaries?
• What knowledge should a national security risk analyst team have?
11
Some key questions for risk analysis of the threat of WMD.
• Purpose– Who uses the risk assessment?– What do they use the risk assessment for?– How does it support risk management?
• Data collection – Who are the subject matter experts (SMEs)?– Can we access the SMEs?– What are the terrorist objectives?– What are the agent/weapon threats? – How do we deal with asymmetry of threat information?
• Modeling– Are natural hazard techniques (e.g., event trees) appropriate for intelligent adversaries?– What can we learn for information assurance risk analysis?– Are other techniques available? – Should terrorist decisions be model inputs or outputs?– Who provides the probabilities?– How do we assess the probabilities?– What consequences should be considered?– How do we model the consequences?
• Presentation– How should we present the risk to decision makers and stakeholders?
12
Decision tree calculations with notional data.
An intelligent adversary trying to maximize consequences would select Attack A.
100 50%
[100] Attack Success
0 50%
[0] Attack Failure
Consequences [50] A
50 60%
[50] Attack Success
0 40%
[0] Attack Failure
Consequences [30] B
Attack [50]
13
A canonical intelligent adversary problem to compare risk analysis techniques.
• Adversary attack (terrorist)– Select target– Select biological agent, nuclear
weapon, chemical agent– Acquire, deploy, and employ
agent/weapon
• Consequences– Attack success or failure
• Detection• Interdiction• Vulnerability
– Consequences given attack • Consequence management
Attack
Event Tree
Consequences
Attack
Decision Tree
Consequences
Colleagues Howard Kunruether and Tony Cox contributed to this formulation.
14
Event tree calculations with notional data.
Attack B contributes 84% of the risk.
100 50%
[100] Attack Success
0 50%
[0] Attack Failure
Consequences
10%
[50] A
50 60%
[50] Attack Success
0 40%
[0] Attack Failure
Consequences
90%
[30] B
Attack [32]
15
Mission Oriented Risk and Decision Analysis (MORDA) supports the information assurance design process.
Buckshaw, D. L., Parnell, G. S., Unkenholz, W. L., Parks, D. L., Wallner, J. M. and Saydjari, O. S., “Mission Oriented Risk and Design Analysis of Critical Information Systems,” Military Operations Research, 2005,Vol 10, No 2, pp. 19-38.
AdversariesAdversaries
Mission Support &
Service ProviderModels
Adversary AttackModel
Integration &
AnalysisModel
User Mission Support Needs
DesignOptions
Evaluate Design
Select Design
Develop,Integrate,
&Deploy
System Lifecycle
Operations&
Maintenance
SOCRATES Model
Hardware&
Software
MORDA PROCESS
Risk AssessmentAttack treesRisk ManagementMultiple objective decision analysis• Attacker• Mission Support• Service ProvidersOptimization and Cost/Benefit Analysis• Countermeasure design options
16
Agenda
• What is our U.S. National Security Strategy?
• What are the sources of national security risk?
• How do natural hazards vs. intelligent adversaries differ?
• Are natural hazard risk analysis techniques appropriate for intelligent adversaries?
• Can we model and use terrorist values and objectives?
• How should we analyze the risk of attacks from intelligent adversaries?
• What knowledge should a national security risk analyst team have?
17
Terrorist Acts Suspected of or Inspired by al-Qaeda
1993 (Feb.): Bombing of World Trade Center (WTC); 6 killed.
1993 (Oct.): Killing of U.S. soldiers in Somalia.
1996 (June): Truck bombing at Khobar Towers barracks in Dhahran, Saudi Arabia, killed 19 Americans.
1998 (Aug.): Bombing of U.S. embassies in Kenya and Tanzania; 224 killed, including 12 Americans.
1999 (Dec.): Plot to bomb millennium celebrations in Seattle foiled when customs agents arrest an Algerian smuggling explosives into the U.S.
2000 (Oct.): Bombing of the USS Cole in port in Yemen; 17 U.S. sailors killed.
2001 (Sept.): Destruction of WTC; attack on Pentagon. Total dead 2,992.
2001 (Dec.): Man tried to denote shoe bomb on flight from Paris to Miami.
2002 (April): Explosion at historic synagogue in Tunisia left 21 dead, including 11 German tourists.
2002 (May): Car exploded outside hotel in Karachi, Pakistan, killing 14, including 11 French citizens.
2002 (June): Bomb exploded outside American consulate in Karachi, Pakistan, killing 12.
2002 (Oct.): Boat crashed into oil tanker off Yemen coast, killing 1.
2002 (Oct.): Nightclub bombings in Bali, Indonesia, killed 202, mostly Australian citizens.
2002 (Nov.): Suicide attack on a hotel in Mombasa, Kenya, killed 16.
2003 (May): Suicide bombers killed 34, including 8 Americans, at housing compounds for Westerners in Riyadh, Saudi Arabia.
2003 (May): 4 bombs killed 33 people targeting Jewish, Spanish, and Belgian sites in Casablanca, Morocco.
2003 (Aug.): Suicide car-bomb killed 12, injured 150 at Marriott Hotel in Jakarta, Indonesia.
2003 (Nov.): Explosions rocked a Riyadh, Saudi Arabia, housing compound, killing 17.
2003 (Nov.): Suicide car-bombers simultaneously attacked 2 synagogues in Istanbul, Turkey, killing 25 and injuring hundreds.
2003 (Nov.): Truck bombs detonated at London bank and British consulate in Istanbul, Turkey, killing 26.
2004 (March): 10 bombs on 4 trains exploded almost simultaneously during the morning rush hour in Madrid, Spain, killing 191 and injuring more than 1,500.
2004 (May): Terrorists attacked Saudi oil company offices in Khobar, Saudi Arabia, killing 22.
2004 (June): Terrorists kidnapped and executed American Paul Johnson, Jr., in Riyadh, Saudi Arabia.
2004 (Sept.): Car bomb outside the Australian embassy in Jakarta, Indonesia, killed 9.
2004 (Dec.): Terrorists entered the U.S. Consulate in Jeddah, Saudi Arabia, killing 9 (including 4 attackers).
2005 (July): Bombs exploded on 3 trains and a bus in London, England, killing 52.
2005 (Oct.): 22 killed by 3 suicide bombs in Bali, Indonesia.
2005 (Nov.): 57 killed at 3 American hotels in Amman, Jordan.
2006 (Aug.): More than 25 arrested in plot to blow up jetliners between London and U.S
http://www.infoplease.com/ipa/A0884893.htmlGlobal Incident Maphttp://www.globalincidentmap.com/home.php
Terrorism Knowledge Databasewww.tkb.org/home.jsp
18
Characteristics of Past Al-Qaeda attacks
• Focus on strategy– U.S. and our allies
• Seek high consequences
• Meticulous planning to maximize probability of success
• Execute multiple attacks
• Suicide attacks
19
“the attacks benefited Islam greatly…"
• Expected Outcome: "I was thinking that the fire from the gas in the plane would melt the iron structure of the building and collapse the area where the plane hit and all the floors above it only. This is all that we had hoped for."
• http://www.cnn.com/video/us/2001/12/13/bin.laden.high.cnn.med.asx
20
Can we model terrorism (Al-Qaeda) values and objectives?
• Is Al-Qaeda rational?
• Al-Qaeda’s objectives (911 Commission)– Elimination of foreign influence in Muslim countries– Eradication of those deemed to be "infidels“– Elimination of Israel– Creation of a new Islamic caliphate – Remove ‘infidels’ from Middle East
• Principal stated aims (http://www.infoplease.com/spot/al-qaeda-terrorism.html)
– Drive Americans and American influence out of all Muslim nations, especially Saudi Arabia
– Destroy Israel– Topple pro-Western dictatorships around the Middle East– Unite all Muslims and establish, by force if necessary, an Islamic
nation adhering to the rule of the first Caliphs.
21
Al-Qaeda Training Manual focuses on strategy, operations, and tactics.
http://www.usdoj.gov/ag/manualpart1_1.pdfhttp://www.fas.org/irp/world/para/aqmanual.pdf
Page 14
Page 15
22
Agenda
• What is our U.S. National Security Strategy?
• What are the sources of national security risk?
• How do natural hazards and intelligent adversaries differ?
• Are natural hazard risk analysis techniques appropriate for intelligent adversaries?
• Can we model and use terrorist values and objectives?
• How should we analyze the risk of attacks from intelligent adversaries?
• What knowledge should a national security risk analyst team have?
23
There are many national security risk analysis decision makers and
stakeholders.
National State Local Private Citizens
StrategicOur
Focus
Operational
Tactical
24
Several modeling decisions must be made to provide effective risk analyses that support
national homeland security decision-makers.
Run time Model complexityFrequency
of attacks
Terrorist
DecisionsUS Decisions
Uncertain
EventsConsequences
Combining
Consequences
Source: Discussions with colleagues on NRC Committee
25
Several modeling decisions must be made to provide effective risk analyses that support
national homeland security decision-makers.
Run time Model complexityFrequency
of attacks
Terrorist
DecisionsUS Decisions
Uncertain
EventsConsequences
Combining
Consequences
Real-time
(Minutes)
Transparent,
simple models
tailored to available
data
Ignore Scenarios Scenarios Not modeled Mortality Not combined
Hours
Use meta-models
developed for best
available national
models
Time until
first attack
Probability
distributions
Probability
distributions
Deterministic
(parameter)Morbidity
Convert to
dollars
Days
Distributed
modeling using
best available
national models
Multiple
attacks
Decision
made to
maximize
some
objective(s)
Decision
made to
maximize
some
objective(s)
Probability
distribution EconomicCombined with
value function
Weeks
Black box with
unvalidated,
unverified, and
unaccredited
models
Game theory modelsProbability
distributions
on
probabilities
PsychologicalCombined with
utility function
MonthsAttacker-Defender models
Environmental
Source: Discussions with colleagues on NRC Committee
26
Red teaming or seminar games can provide very important insights.
Run time Model complexityFrequency
of attacks
Terrorist
DecisionsUS Decisions
Uncertain
EventsConsequences
Combining
Consequences
Real-time
(Minutes)
Transparent,
simple models
tailored to available
data
Ignore Scenarios Scenarios Not modeled Mortality Not combined
Hours
Use meta-models
developed for best
available national
models
Time until
first attack
Probability
distributions
Probability
distributions
Deterministic
(parameter)Morbidity
Convert to
dollars
Days
Distributed
modeling using
best available
national models
Multiple
attacks
Decision
made to
maximize
some
objective(s)
Decision
made to
maximize
some
objective(s)
Probability
distribution EconomicCombined with
value function
Weeks
Black box with
unvalidated,
unverified, and
unaccredited
models
Game theory modelsProbability
distributions
on
probabilities
PsychologicalCombined with
utility function
Months Attacker-Defender models Environmental
27
Red Teaming~ Structured Qualitative Inquiry ~
• Detailed study plan (vignette, data collection plan, clearly identified study issues, elements of analysis)
– scenario, moves, counter moves
– assessments
• World class Red and Blue experts
• Expert study director, skilled in facilitation
• Transparence: data collection observations findings conclusions
Objective: Is our analysis framework robust enough to capture potential actions of intelligent adversaries?
28
Three adversary risk analysis modeling techniques.
• Terrorist decision tree
• Game theory
• Attacker-Defender models
29
Game theory and risk analysis.
Run time Model complexityFrequency
of attacks
Terrorist
DecisionsUS Decisions
Uncertain
EventsConsequences
Combining
Consequences
Real-time
(Minutes)
Transparent,
simple models
tailored to available
data
Ignore Scenarios Scenarios Not modeled Mortality Not combined
Hours
Use meta-models
developed for best
available national
models
Time until
first attack
Probability
distributions
Probability
distributions
Deterministic
(parameter)Morbidity
Convert to
dollars
Days
Distributed
modeling using
best available
national models
Multiple
attacks
Decision
made to
maximize
some
objective(s)
Decision
made to
maximize
some
objective(s)
Probability
distribution
Expected value
EconomicCombined with
value function
Weeks
Black box with
unvalidated,
unverified, and
unaccredited
models
Game theory modelsProbability
distributions
on
probabilities
PsychologicalCombined with
utility function
Months Attacker-Defender models Environmental
30
Combining game theory and risk analysis.
Banks, D. and Anderson, S. (2006). "Game Theory and Risk Analysis in the Context of the Smallpox Threat," in Statistical Methods in Counterterrorism, ed. A. Wilson, G. Wilson, and D. Olwell, Springer-Verlag, NY, pp. 9-22.
No Attack Single Attack Multiple attack
Stockpile C11 C12 C13
Stockpile +
BiosurveillanceC21 C22 C33
Stockpile+
Biosurveillance +
Key personnel
C31 C32 C33
Everyone C41 C42 C43
Vicki Bier, “Choosing What to Protect”, http://www.usc.edu/dept/create/assets/001/50760.pdf
31
Attacker-Defender Models.
Run time Model complexityFrequency
of attacks
Terrorist
DecisionsUS Decisions
Uncertain
EventsConsequences
Combining
Consequences
Real-time
(Minutes)
Transparent,
simple models
tailored to available
data
Ignore Scenarios Scenarios Not modeled Mortality Not combined
Hours
Use meta-models
developed for best
available national
models
Time until
first attack
Probability
distributions
Probability
distributions
Deterministic
(parameter)Morbidity
Convert to
dollars
Days
Distributed
modeling using
best available
national models
Multiple
attacks
Decision
made to
maximize
some
objective(s)
Decision
made to
maximize
some
objective(s)
Probability
distribution
Expected value
EconomicCombined with
value function
Weeks
Black box with
unvalidated,
unverified, and
unaccredited
models
Game theory modelsProbability
distributions
on
probabilities
PsychologicalCombined with
utility function
Months Attacker-Defender models Environmental
32
Attacker-Defender is a bi-level program (optimization) and type of Stackelberg game.
Brown, G., Carlyle, M., Salmerón, J. and Wood, K., 2006, "Defending Critical Infrastructure ," Interfaces , 36, pp. 530-544.
33
Multiobjective decision analysis with decision tree/influence diagram.
Run time Model complexityFrequency
of attacks
Terrorist
DecisionsUS Decisions
Uncertain
EventsConsequences
Combining
Consequences
Real-time
(Minutes)
Transparent,
simple models
tailored to available
data
Ignore Scenarios Scenarios Not modeled Mortality Not combined
Hours
Use meta-models
developed for best
available national
models
Time until
first attack
Probability
distributions
Probability
distributions
Deterministic
(parameter)Morbidity
Convert to
dollars
Days
Distributed
modeling using
best available
national models
Multiple
attacks
Decision
made to
maximize
some
objective(s)
Decision
made to
maximize
some
objective(s)
Probability
distribution EconomicCombined with
value function
Weeks
Black box with
unvalidated,
unverified, and
unaccredited
models
Game theory modelsProbability
distributions
on
probabilities
PsychologicalCombined with
utility function
Months Attacker-Defender models Environmental
34
Deaths
EconomicImpact
TerroristValue
WeightDeaths
Mitigation Effectiveness
WeightEconomic
Impact
MaxDeaths
MaxEconomic
Impact
DetectPre-attack
ObtainAgent
Attack Success
BioterrorismTarget
Bioterrorism Agent
Acquire Agent
Terrorist Influence Diagram
Parnell, G. S., Multi-objective Decision Analysis, Wiley Handbook of Science & Technology For Homeland Security, John G Voeller, Editor, Forthcoming 2007
Multiobjective decision analysis with decision tree/influence diagram.
35
Bioterrorism_Agent Location_X [0.023709]
Acquire_Agent Agent_A [0.0353835]
Acquire_Agent Agent_B [0.03008]
Yes
0 .400
[0]
No
0 .300
[0]
Not_successful
0 .250
[0]
Low
0.10003 .500
[0.10003]
High
0.2515 .250
[0.2515]
Attack_Success Yes
.700
[0.11289]
Obtain_Agent No
.600
[0.079023]
Detect_Pre_attack Produce [0.0474138]
Detect_Pre_attack Procure [0.0406404]
Acquire_Agent Agent_C [0.0474138]
Bioterrorism_Agent Location_Y [0.0474138]
Bioterrorism_Target [0.0474138]
Parnell, G. S., Multi-objective Decision Analysis, Wiley Handbook of Science & Technology For Homeland Security, John G. Voeller, Editor, Forthcoming 2007
Multiobjective decision analysis with decision tree/influence diagram.
• Paté-Cornell, M.E. and S.D. Guikema. 2002. “Probabilistic Modeling or Terrorist Threats: A Systems Analysis Approach to Setting Priorities Among Countermeasures,” Military Operations Research, Vol. 7, No. 4, pp. 5-23. • von Winterfeldt and Terrence M. O’Sullivan, A Decision Analysis to Evaluate the Cost-Effectiveness of MANPADS Countermeasures, Decision Analysis, Vol 3, No 2, June 2006, pp. 63-75.
36
Agenda
• What is our U.S. National Security Strategy?
• What are the sources of national security risk?
• How do natural hazards and intelligent adversaries differ?
• Are natural hazard risk analysis techniques appropriate for intelligent adversaries?
• Can we model and use terrorist values and objectives?
• How should we analyze the risk of attacks from intelligent adversaries?
• What knowledge should a national security risk analyst team have?
37
Analysis techniques
Technologies
Intelligent adversaries
• Decision analysis• Game theory• Attacker-Defender
models
• Risk analysis
– Consequence models
• Red teams
• Wargaming
What knowledge should a WMD risk analyst team have?
• Threat– Conventional– WMD (CBRN)
• Technologies for risk management
• Strategy
• Objectives
• Tactics
Access to “world class” experts is critical.
38
Summary
• What is our U.S. National Security Strategy?– Protect against WMD, especially bioterrorism.
• What are the sources of national security risk?– WMD, especially bioterrorism.
• How do natural hazards and intelligent adversaries differ?– Natural hazard data exist; intelligent adversaries are adaptive and
dynamic.
• Are natural hazard risk analysis techniques appropriate for intelligent adversaries?– But some techniques can be used.– New techniques are needed.
• Can we model and use terrorist values and objectives?– Yes.
• How should we analyze the risk of attacks from intelligent adversaries?– Will require the design of new approaches.
• What knowledge should a national security risk analyst team have?– Will require learning adversary strategies, new techniques, new
technologies, and communications will very diverse stakeholders.