1

Inspection Models for Homeland Security: Thinking Outside the Box

James R. Thompson, Katherine B. Ensor, Carleton R. Goss thomp@rice.edu, ensor@rice.edu, crgoss@alumni.rice.edu

Department of Statistics Rice University

Abstract and Summary. The events of September 11, 2001, have changed dramatically the perceived and actual security of the United States of America. We have become the target of attack not by a nation state, but rather by a supranational organization of fanatics bent on the destruction of our country and indeed Western Civilization itself. If America is to survive this challenge, then we need to adjust our notions of defense to deal with a threat which is quite different from those successfully dealt with during the Cold War. Just as the threat of nuclear war changed the way we handled conflicts following 1945, we need to come up with a paradigm and a set of tools to solve the new diffuse threats of al-Quaida. In this search for a new paradigm for homeland defense, we ought to learn from the lessons of the past. In particular, we need to profit from the example given us by Herman Kahn1 2, early in the nuclear age as to how we can develop new paradigms for dealing with the current threat. Model based simulation, which was the toolbox used by Kahn, can give us a rapid start in dealing with the new crisis.

It is said by some that whereas the Americans search for bombs, the Israelis search for bombers. There is some truth in this. We note at the outset that the inspection of all good targets for terrorist attack in the United States is beyond the capability of this free society. However, in most situations, maximal benefit is likely to be derived by searching out terrorists and terrorist sympathizers and neutralizing their activities. Regrettably, this will strain our notions of what it means to live in a free society. However, it is unlikely that such intrusions into the civil liberties of Americans will approach anything like such intrusions of civil liberties of subjects of the United Kingdom during the Second World War3. And few would argue that Britain was other than a fundamentally free society during that period. Without domestic support, it appears unlikely that al-Quaida will be able to achieve its stated goal of destroying the United States. Sensitivity to perceived anti-Islamic activities by the United States is essential to the minimization of domestic support within the United States for our enemies.

I. Historical Background. There is no hostile action which can be taken by al-Quaida that could not, theoretically, be taken by hostile foreign states. During the Cold War, there is little doubt that the Soviet Union could have launched a pre-emptive

2

nuclear strike against the United States which would have destroyed over half our population and demolished our economy. That the Soviets did not do so was due to the fact that their attack would have guaranteed a response from the United States which would have devastated the Soviet Union. If a hostile group has its own territory, then its hostile activities can be curtailed by military action.

The situation changes if the hostile power has nothing tangible against which an attacked civil authority can retaliate. Such situations happen all the time. A lone serial killer may do a great deal of damage, and society will solve the problem by finding and dealing with the lone criminal. This is a police solution rather than a military one. What if the terrorist activity involves a number of individuals? In the case of organized crime in the United States, there are generally assets which can be seized. For the case of the Columbian drug cartel, the assets are in another country. The government of that country is not prepared to invite American military forces for intervention in other than an advisory capacity. Thus, the “war on drugs,” which might seem to need to have a considerable military component, has generally been unsuccessful. However, the cartel leaders have no ideological agenda; they do not represent a clear and present danger to the United States.

Al-Quaida presents a different situation: individuals who have foresworn their countries (at least the leaders of their countries) and are willing to sacrifice their own lives as tactical weapons to achieve a strategic objective. Has this happened before? Yes, in the eleventh century and following for several hundred years.

The Assassins (Hashishin, from the drug used by the sect) were a Shiite offshoot founded around 10904. They essentially denied the revelations in the Koran and also its moral constraints. The founder, Imam Hasan ibn Sabah, trained suicide warriors using a kind of hashish centered brainwashing technique. Then, he demanded protection fees from the rich and powerful to avoid being assassinated by members of the sect. It is impossible to find a parallel in the West. In the Manichean tradition from which Islam partly sprang, they might be described in Star Wars terms as serving the “Dark Side of the Force.” They terrorized even Saladin who traveled frequently in a kind of portable fortress to protect himself against their attacks. The suicide warriors did not fear death, for they believed that dying in the service of the leader of the sect assured them of a place in Paradise complete with virgins and wine. The only territories controlled by the Assassins were unassailable mountain fortresses, the leader frequently being referred to as the Old Man of the Mountain. Over the centuries, these were successfully attacked and destroyed by the civil authorities. However, there was enough distribution of control in their system that destruction of even several centers did not destroy the organization. Civil rulers paid protection to keep the Assassins at bay. There was no missionary zeal in the sect, no desire to impose a purified Islam on the world. Indeed, the sect was anti-Koranic, believing in the continuing revelation from an invisible Imam communicating with the sect leader. After 150 years they were finally dispersed by the Mongols, and the survivors morphed into the heterodox Ismaili sect considered to be

3

on the periphery of Islam together with Druzes and other sects without any real parallel in Christianity (In 1817, the Shah of Persia conferred the title of Aga Khan on the leader of the movement. Although there was an attempt by the sect to set up a kingdom in Afghanistan in the early 1800s, the Ismailis have sublimated their energies in commerce). The fact is, however, that the Assassins, lacking the religious zeal of the present day al-Quaida, were able to sustain themselves for 150 years against powerful civil authorities.

The problem presented to the secular authorities, who were quite capable of enforcing police actions and military actions, was the Assassins were far too numerous to be dealt with by police actions. On the other hand, they were too dispersed to be dealt with by military actions, particularly since they did not control nor want to control territory beyond their mountain fortresses. When the Mongols finally brought down the power of the sect, it was by a general attack on all the mountain fortresses and a ruthless insensitivity to massive “collateral damage” (The destroyer of Assassin power, Hulagu Khan, also destroyed the Sunni Caliphate in Baghdad killing nearly a million people in the process).

The Mahdi (“he who is guided aright”) is an end times figure who is supposed to bring forth the fulfillment of Islam. There are descriptions of his appearance in Islamic literature. There have been numerous pretenders to this dignity, (including one of the Imams of the Assassins, Hasan II). For example, in 1881 Mohammed Ahmed ibn Seyyid Abdullah proclaimed himself Mahdi and launched a major insurrection in the Sudan. He taught that other leaders of Islam were corrupt and to be overthrown by the faithful to be brought into submission to the Mahdi and his followers. Whether bin Laden believes himself to be the Mahdi or not, there is clear evidence that he affects the trappings and many of the attributes prophesied of this end times figure. In particular, he bears physical resemblance to the Mahdi, and, most importantly, he appeared on the scene when Islam was perceived by many to be at the nadir of its power.

In a sense, the al-Quaida movement has numerous advantages over those of the Assassin sect. For example, whereas the Assassins were heretical and used trickery to recruit their suicide warriors, al-Quaida proceeds from devotion to Islamic fundamentals. The men who flew the aircraft into the Twin Towers and the Pentagon were not rustic dupes but educated fervent believers in fundamental Wahabi dogma. It could be rightly argued that the leaders of the Assassins were simply criminal dealers in the protection racket. That is not true of bin Laden and his confreres. Bin-Laden gave up a life of luxury to fight the infidels, first in Afghanistan and then throughout the world. He has given away much of his personal wealth to help the families of deceased comrades killed in fighting the infidels. Civilized people of all faiths rightly condemn bin Laden. However, to call him corrupt or a heretic against Islam would be a mistake. He appeals, as would the prophesied Mahdi, to an Islamic population which feels put open and oppressed by the West and secular modernity.

4

The Mongols finally solved their problem with the Assassins by converting a police problem into a military one. In a sense, this is what America tried by its attack on Taliban/al-Quaida forces in Afghanistan. Because the al-Quaida leadership was surprised and not dispersed, it is quite possible that a rapid massive assault on their strongholds in Afghanistan would have solved the al-Quaida problem. However, the American attack appears to have been deprived of resources which were employed elsewhere in a much larger action in Iraq against the secular, albeit corrupt, regime of Saddam Hussein. The massive hammer blows analogous to those used by the Mongols against the Assassins did not take place. Increasingly, it appears that the Taliban are regaining control of much of the countryside with the Americans holding on to Kabul and a few other population centers. (Such a model, used by the British for 150 years, never proved successful, even against nonideological Afghan forces).

One strategy presently being tried against al-Quaida is the creation of a stable secular society in Iraq. Unfortunately, this is perceived by many in the Muslim world to be an attack on Islam itself. Intrinsically secular rulers, such as Kemal Attaturk, Hasni Mubarak, Reza Pavlavi, Saddam Hussein, Ali Bhutto, Benazir Bhutto, Ahmed Sukarno, Megawati Sukarnoputri, are referred to (negatively) as “Kemalists” (The United States was at least complicit in the overthrow of Pavlavi, the Bhuttos and Sukarno, and actively overthrew Saddam Hussein. Thus, in the case of the largest Sunni nation (Indonesia) the second largest (Pakistan) and largest Shia nation (Iran) the Americans seemed content to have military Islamic regimes replace secular ones). An argument can be made that the Iraq action acts as a recruiting tool for al-Quaida.

On the other hand, America has zealously defended the ruling dynasty in the most reactionary Islamic country in the world, Saudi Arabia, the country which has been the major funding source for al-Quaida. Moreover, there appears to be substantial evidence that Wahabi mosques in the West are established via funds from the Saudis5 and that some of the leaders of these mosques have been shown to have some connection with al-Quaida. Furthermore Wahabi Koranic elementary schools are paid for in underdeveloped Muslim countries by Saudi money. These madrassas are a major recruiting vehicle for lower al-Quaida echelons.

Against this rather confusing historical mosaic, we are left, domestically, with a policing activity to thwart the destructive goals of al-Quaida. Inspection, in all its forms is a major weapon for pre-empting terrorist attacks. In order to decide how to expend resources in inspection, we need to be guided by the variety of targets available to our enemies.

We note that, to date, most al-Quaida attacks have involved destruction of large structures housing large numbers of people: the attacks on the World Trade Center, the Pentagon, the nightclub in Bali, Kolbar Towers, embassies in Tanzania and Kenya and the destroyer USS Cole. There have been no biological attacks, no nuclear attacks, no chemical attacks, no agricultural attacks, no attacks on the internet. Past performance is

5

no infallible guide to the future. However, in any allocation of security resources, it is clear that prevention of conventional explosive attacks against large structures should be high on the list.

II. Inspection of Airline Passengers. The inspection model developed in this section will be used rather generally in other sections of the paper. It follows the rather intuitive rule of using inspection resources to inspect those items or persons most likely to be other than safe.

The father of Statistical Process Control, the late W. Edwards Deming, had little use for the standard acceptance rejection paradigm of quality control. Deming had noted6 that under the risk function of expected value, the number of sampled items should be either zero or the number in the total sample. The argument goes as follows:

Let Q be the total expected cost involved in sampling of a batch of n Let x be the number of items inspected Let c1 be the cost of examining an item,

Let c2 be the cost of accepting a bad item Let p be the probability an item is defective

Q= c1 x + (n-x)p c2 = (c1 - p c2 )x+ n p c2. Then it is clear that we minimize Q by

If c1 > pc2, set x=0; If c1 <pc2, set x=n.

In quality control, Deming was quite right.

Unfortunately, the cost of missing a terrorist is so high that Deming’s Theorem tells us to subject all passengers to a thorough inspection. However, if we did this, we would bankrupt the US airline industry. The reality is that we have to work with a constrained optimization problem: With x and n fixed, find the allocation of thorough samplings which minimizes Q.

Let n = n1+n2 Assume second population more likely to exhibit "failures":

Q= c1 x 1 + (n1 - x1 ) p1 c22 + c1 x2 +(n2 - x2) p2 c22 Q=x 1 (c1 - p1 c22) + n1 p1 c22 + x2 (c1 - p2 c22 ) + n2 p2 c22 .

Most likely, c1 -p2 c22 <0. Consequently, since we are limited by inspections capacity to inspect a total of x items,

6

we should follow the following rule: If n2 < x, sample all persons from Group 2 and x-n2 persons chosen at random from Group 1. If n2 > x, sample x persons from Group 2. Consider delaying flight until all n2 are sampled.

This solution implies profiling. Here is a profiling strategy:

1. Select all persons from a high risk group characterized by appropriate metrics for thorough checking. Suppose this number is n2.

2. Select x- n2 persons randomly from Group 1.

If the persons of inclusion in the riskier group are in the small minority, it will almost always be the case that putatively low risk persons such as middle-aged white businessmen and grandmothers outnumber persons from the high risk group as targets of inspection. A greater fraction of persons from the high risk group will be selected (hopefully 100%). However the absolute numerosity of persons from Group 2 will typically be greater than those from Group 1.

An obvious strategy for the terrorist game master would be to flood flights with large numbers of persons from Group 2 so that n2>x. This can be done for numerous flights over time without any untoward items being on the inspected persons. This can disrupt the inspection system. However, at the present time in the United States, there is no significant soft core al-Quaida auxiliary. Without such a group, the terrorist game master is in real trouble, for only sporadic disruptions can be caused, and in each of these, there will be ample opportunity to backtrack to the terrorist game master.

It would be disastrous to the security of the United States if any soft core group in sympathy with al-Quaida came to exist in this country. At this time, perhaps the biggest plus for security in the United States is the lack of a pro al-Quaida fifth column. Should the Bush roadmap for the creation of a free connected Palestinian state be postponed indefinitely, there is a danger of a buildup of such a fifth column. The concatenation of Jenin style “pacifications” puts the United States at the hazard. Furthermore, the very active financing of Wahabi mosques and cultural centers by the Saudis is something which might well be stopped by bilateral agreements with the Kingdom. Any infusion of funds directly or indirectly from “private” Saudi sources can be appropriately treated as coming from the Kingdom itself. Similarly, “charitable” funds from any source in the assortment of emirates in the Gulf or Sudan or Libya, etc., might well be viewed with extreme caution.

III. Global Trade a Potential Hazard. Global trade and the maritime shipping industry is a highly complex system with strong potential for terrorist infiltration.

7

Ninety percent of all world cargo moves by container and approximately 2/3 of the imports into the United States arrive by sea borne containers7 8. The sizes of containers admit of storage of a variety of weapons of mass destruction, including nuclear devices and “dirty bombs”; the current percentage of manually inspected containers is under 2%9. Thus there is a significant open opportunity for harm. A 2003 Port Security Wargame report produced for The Conference Board advocates development of a layered end-to-end solution of global trade10 including a recommendation of “dynamic analysis to target containers for inspection”. This report demonstrated that in the scenario’s fallout of immediate and strong reactions (such as closing ports) to terrorist events in global trade had significant impact on the U.S. financial markets. Having a better handle on the supply chain from initiation to arrival of goods not only improves our Nation’s chances of forgoing an attack but increases our chances of a targeted response to an attack rather than a broad sweeping mandate to close all ports. Further, closer monitoring of the supply chain improves the overall business model11. Best Practices. There are a few examples of global corporations, namely Wal-Mart, the German retailer Metro AG, Target, as well as the Defense Department that understand the end-to-end control over the supply chain. These companies have asked suppliers to support the Electronic Product Code12 protocols producing a transparent supply chain. These corporations understand the need to follow products and shipments from origination to destination13. The Innovative Trade Network (ITN) is a consortium of companies that understand transportation, technology and supply chains that joined together to advance best practices in the industry rather than focusing on one technology. As more suppliers and producers understand the need for better information in the supply chain, which includes shipping, the opportunities for controlling terrorist activities will improve. Shipping Industry Basics. The shipping industry is a complicated entity with many unique aspects to its industry. The basic strategy of transporting materials across the globe is for purchasers and/or sellers of materials to work with a shipping broker for transportation from one location to the next. This broker is often an independent contractor. A single container may contain contributions from many brokers. Further, the shipping industry is purely a global enterprise. The owner of a ship may be a citizen of one country, while the operator and shipmates are citizens of very different countries. Cargo is loaded and unloaded at ports all over the world. A full flow-chart of the shipping industry has been developed in private industry (see FreightDesk Technologies Inc. for further information). The U. S. Customs has a multifaceted approach to the increased protection from cargo in the maritime industry. Inspections take place outside our borders as well as within using a variety of technologies, with physical inspection the last resort, as we have previously noted in this paper. The U. S. Customs Sea Cargo Targeting Initiative is a strategy used to identify high-risk containers that will be subjected to noninvasive inspection procedures. The Advanced Manifest Filing Initiative, inacted in October of

8

2003, is an attempt to understand the makeup of cargo prior to shipping and prior to reaching our shores. The Advanced Manifest Filing Initiative requires a twenty-four hour lead time for manifest filing before cargo can be loaded on the ship, thereby providing the U.S. Customs a window in which to decide on the safety of the cargo and before shipment. However, the U.S. Customs maintains a database that is rules based. Thus if you know the rules, you know the roadmap for deception.

At this time, insistence on 100% manual inspection would be unrealistic. We consider a means of selection of containers for inspection which is a significant improvement over random selection. It appears that we are moving, albeit slowly, to inspection techniques which will greatly enhance our security. Safe Scoring. As an example, let us assume that every port visited by a container degrades the probability the container is safe. We here look at a simple multiplicative model. Let us suppose that visiting the port of Karachi degrades the safety score by a multiplier of .9800. Visiting the port of Oslo degrades the safety score by a factor of .9990. Then a container originating in Oslo, visiting the port of Karachi and proceeding has a safety score of .9800(.9990) = .9790. The ship then proceeds to Jakarta, which is assumed to have a safety factor degradation multiplier of .9700. The ship proceeds to Oakland, California. Upon arrival, it has an aggregate safety score of (.9990)(.9800)(.9700) = .9496. The “probability” the container is not safe is 1 - .9496 = .0504.

Let us compare this with another container which went on a ship transiting directly from Oslo to Oakland. Such a container would have a probability of being unsafe of 1-.9990 = .0010. The relative efficiency of inspecting an Oslo-Karachi-Jakarta-Oakland container as opposed to an Oslo-Oakland container is .0504/,001 = 50.40. Advantages of Inspecting Containers with Smallest Safe Scores. There are many ways that safe scores might be assigned other than the simple multiplicative rule based on port transits. Let us suppose we have the ability to inspect one out of five containers with the safety scores indicated in Table 1.

Table 1 Container Number Safe Score

1 .9900 2 .9970 3 .9980 4 .9990 5 .9990

If we decide to inspect the container with lowest safe score, namely container #1, the average (expected) safe score of one of the uninspected containers is

9

E1 = 1/4(.9970+.9980 + .9990 + .9990) = .99825.

The probability the average container will be unsafe is

P1 = 1 - E1= .00175. On the other hand, had we chosen to select a container at random for inspection, the average safe score of one of the uninspected containers would have been

E2 = 1/5(.9900+.9970 + .9980 + .9990 + .9990) = .9964. The probability it will be unsafe is

P2 = 1 – E2= .0036. Thus, the efficiency of inspecting from the lowest safe score container as opposed to one randomly selected is .0036/.00175= 2.0571. Next, let us consider a case where the safe score disparity is more dramatic. Consider the safescores in Table 2:

Table 2 Container Number Safe Score

6 9500 7 .9970 8 .9980 9 .9990 10 .9990

Here if the lowest safe score container is the one selected for inspection, we still have

E1 = 1/4(.9970+.9980 + .9990 + .9990) = .99825, and P1 = 1 - E1= .00175. However, now when we select a container at random for inspection, we have

E2 = 1/5(.9500+.9970 + .9980 + .9990 + .9990) = .9886 and P2 = 1 – E2= .0114.

The efficiency of sampling from the container with smallest safe score is .0114/.00175 = 6.51. The general rule of selecting those containers for inspection to be those with the lowest safe scores appears optimal under the criterion of maximizing the expected safe scores of the uninspected containers.

What shall be done about containers having no measured safe scores? Simply passing them without any possibility of inspection would be equivalent to assigning them safe scores of 1.0000. On the contrary, a container without a score, by the very fact

10

of its unscored condition, should receive a low safe score. Until such time as containers are all subjected to safe scoring, it will be necessary to use the best possible information to award each container a safe score. This means that we can have two containers with the same safe score, where one has been given a score according to a well-defined protocol and another given the same score by the subjective judgment of experts (aka the Delphi Method).

Earlier in this paper, we noted Deming’s theorem where it was shown that if the cost of a bad item passing undetected is high enough with nonnegligible probability of occurrence, then we really ought to use 100% inspection. At present, we are essentially able to inspect very carefully every high risk airline passenger. When it comes to containers, we are far removed from such a capability. With inspection rates under 2%, an incompletely executed safe scoring protocol will not protect us from failure to detect containers containing dirty bombs. The reason we have so far been spared is undoubtedly the fact that the terrorists have not attempted to send such in containers into the United States. We have been spared, not by our prudential inspections, but by the logistical shortcomings of our enemies.

Furthermore, we must consider the fact that inspection in a port is complicated by the fact that many US ports are near population centers. A booby trapped container containing a dirty bomb might cause very substantial destruction if it blows up during the in port inspection. Furthermore, we must sooner or later be subject to terrorists playing the game of chicken. For example, a terrorist phones the Port Authority during the early stages of unloading of a container ship and states that a hidden WMD will be detonated. Such threats, delivered after a container borne WMD has actually been detonated would have some credibility. We need to stop “dirty” container ships when they are well out to sea. It is fairly clear that

1. We need 100% inspection of containers 2. This inspection should be not be carried out in American ports but rather before

the ships reach our shores. Toward a 100% Inspection of Container Ships at the Twelve Mile Limit. There appears to be little reason for bringing bioweapons into America via shipping containers. The mass required is sufficiently small as to be deliverable via diplomatic pouch. By the same token, nerve agents, such as sarin, can easily be manufactured by operatives in the United States. No great mass of sarin is required if it is released in a confined space, such as a subway or mall.

The major candidate for terrorist use in shipping containers would appear to be either a full blown nuclear device or a dirty bomb (nuclear material spread by conventional explosion). The United States is presently very vulnerable to such

11

weapons delivered in containers and we need to obviate the problem by 100% inspection on the high seas. A ship containing a nuclear device or a dirty bomb needs to be turned away or boarded at the twelve mile limit. If one assumes the terrorist has access to the latest weapons and shielding technology, USA detection of, say, a 100 kiloton yield nuclear device inside a container, with the device well shielded, would be difficult. However, access to such technology might well imply the terrorists had access to a workable delivery system, for example, a sea to land rocket fired from a submarine cruising near an American city. It is probably not unreasonable to suppose that the terrorists have some limitations concerning weapon construction and shielding.

Consequently, there is something to be said for a detection system which could detect radiation coming from an imperfectly shielded container. The United States already has this level of detection technology14. It would be feasible to use helicopter flyovers as a means of detecting a “hot” ship, one made hot perhaps by having one of 2,000 containers containing a dirty bomb. While it is true that such a system of inspection would not catch a very cleverly shielded nuclear store, there are already active devices using neutron and gamma ray emission which can, at the prototype stage, detect, for example, lead shielding. These scanners are very slow and primitive at this time. However, prototypes do exist (Pulsed Fast Neutron Analysis (PFNA)15). In the future, it may be possible to scan the entire ship for such things as shielding, nuclear material, etc. In the mean time, we might to well to note that our technological limitations notwithstanding, we can readily utilize passive detectors for gamma radiation to detect ships carrying not very well shielded nuclear material.

A Specific Statistical Model for Container Inspection. The search for rare events has long been a difficult task in statistical studies16. Basic random sampling, by design, has a low probability of identifying sampling units within rare subpopulation. If a sampling frame is available for the rare and majority populations, a simple form of stratified random sampling can serve our purposes. Forms of advanced sampling such as stratified sampling, double sampling, importance sampling, cluster sampling, or network sampling help to alleviate this inherent problem with basic simple random sampling17 18 each increasing the chances of uncovering a potential danger at a reduced overall cost of inspection.

A difficulty in sampling implementation arises, because prior to inspection we do not know whether a particular sampling unit, namely a container, falls into the dangerous (or rare) strata or the safe (or mainstream) strata; and baring the current state of technology, it is too expensive to inspect or sample every container to determine whether it is dangerous or safe. One strategy then is to screen each sampling unit or container based on characteristics associated with the container that are relatively easy to measure, thereby developing your sampling frame. A related strategy to screening is to select observations proportional to the probability they are a member of the rare subgroup according to other characteristics measured, e.g. using methods such as rank set sampling and importance sampling19. We see today, the effects of screening, to

12

develop the sampling frame, followed by stratified sampling, to select the sample unit, as airline passengers deemed high risk by their characteristics have a higher probability for selection for a thorough search. In the previous section, we indicated that 100% inspection of the high risks groups was necessary to meet an objective of minimizing the expected cost when the cost of missing a terrorist is significantly large enough that it offsets the probability of a terrorist being inspected. Identification of these high-risk groups, or the screening step is a difficult task.

As we have noted, 100% inspection of every possible person, container or entity that can do harm to the populace of the United States will bankrupt our nation. We argue in our introduction for 100% inspection of groups or entities wishing us harm. Again, identifying the group for 100% inspection is a difficult task. However, can we develop a sampling and inspection model, or screening model, which will increase the likelihood of preventing a catastrophic terrorist event? The solution is an information and inferential based inspection model. The specific model for inspection will depend on the system under study. For inspection of containers, an explicit inspection strategy is given. Informed Inspection Model for Containers. Previously, we described the degrading probability of a safe container based on the ports a container visits. This is one example, of how to assign a safe score to a particular sampling unit. In general, such a probability can and should be based on all information known about a container including the subjective information of the operators and shipping brokers who handle the container. In Figure 1 we define the general strategy for information and inferential based inspection of containers. For each container, all information that is known about this container is assimilated to estimate a vector of safety scores for the container. The safety scores are defined simply as the probability of a safe container based on the information set considered. Generally, the safety scores guide allocation of inspection resources to best protect the public.

Even though the basic strategy is solid, from a statistical perspective, the devil is in the detail. For example, what, if any, information exists to estimate a safety score

Figure 1. Information and Inferential Based Inspection

13

(defined as the probability of a safe container)? Also, how do we deal with incomplete and varying quality of information? How far from operational is an informed inspection process? Although we cannot fully explore all issues in this manuscript, we do address some of the major issues and propose a prototype design for in information-inferential based model for inspection of containers. How can statistics help? An information and inferential based inspection protocol requires that inferences concerning the container (or other unit of inspection) be made. We have formulated these inferences as an estimate of a vector of safety scores. Containers could then be classified in the low risk, medium risk and high risk category for inspection based on their specific safety scores.

In this section we map out a statistical algorithm that will allow appropriate classification of a container and thereby directing a cost effective inspection protocol. We cannot begin to tackle all of the issues associated with this analysis problem in one manuscript, however, we have identified key statistical issues that we believe are inherent in this complex study and that will lead to furthering of the technology for an information inferential based inspection system. These key issues are 1) The amount and quality of data; 2) The large scale of the system; 3) The multivariate nature of the system; 4) Including information from different sources including expert opinion. We prototype an informed inspection process based on the sources of best practice. Our basic strategy is as follows

1. Identify the primary components of the shipping process. 2. Obtain profile distributions for each component of the shipping process based on

historical data and expert opinion. 3. Obtain a safety score for a given container from each profile distribution. 4. Obtain the multivariate profile distribution of safety scores, highlight the

extreme clusters as well as anomalous safety scores based on the historical data set.

5. Predict the safety score vector for an incoming container and ascertain its inspection protocol based on comparison with the profile distribution developed in step 4.

6. At every step in the supply and inspection chain, the safety scores for a given container are updated which then leads to an updated inspection protocol.

Step 1: The major components to the shipping system we have identified are:

• Shipping broker profile • Shipper profile • Container contents and manifest • Container characterization • Route of container

14

• Destination port • Inspection profiles

Our process is not limited to these seven components. The number of components

can be expanded or contracted as needed. We have identified the components that are most obviously important factors when considering the safety of or threat posed by a particular container.

In steps 2 and 3 the safety scores for each individual component are obtained. In this manuscript, we explicitly define the process for the broker safety scores. The remaining six safety scores for the above six major components of the system are obtained in a similar fashion.

Development of the Broker Safety Score Step 2. For each component of the shipping system, we identify the major sources of information about that component. Figures 2 lists the information used in development of profile distributions for the shipping broker, the shipper and/or owner and the container content profile. This information will generally come in the form of categorical data creating sparsely populated multi-way contingency tables. To

handle the multitude of missing information, within each subcategory an additional category of “missing” is included. For example, the “broker profile” identifies the type of goods generally handled by the broker as an important piece of information. If the broker handles a different type of goods than he/she has historically handled then this would signal an unusual event. Type of goods within broker is categorized as volatiles, household, industrial, other and missing. By including a category of missing we are explicitly examining the presence or absence of information in the profile distributions. Simulation studies are conducted in a companion paper20 that investigates the degree to which missing values affect the profile distributions.

In order to get a handle on the highly multivariate information set, we proceed to use dimension reduction techniques, such as correspondence analysis, for categorical data21 22 23. Correspondence analysis finds the linear combination of factors that best describes the variation in the categorical data as measured by the chi-squared statistics for the associated contingency table. Typically the dominant two linear combinations of

Figure 2. Development of Broker Profile Distribution

Figure 3. Development of the Broker Profile Distribution

15

factors explain the majority of the variation. Thus the high-dimensional information set is reduced to a two dimensional measure. We refer to this two dimensional information measure for the kth broker as Bk.

We now have a set of random vectors, B1, … Bm where m represents the number of brokers sampled from the population of brokers of size M. We assume that the random vectors are independent and identically distributed. For this later assumption to be correct, the brokers from which we are building our profile distribution should be randomly selected from the possible brokers operating out of a specific port. We will develop broker distributions for each port. In reality, the independent and identically distributed assumption may be an over simplification of the problem. However, we can easily build in dependence measures between brokers as well as segments of brokers that behave differently thereby violating our “identically distributed” assumption. Again, our objective is to identify brokers (or any piece of information associated with a container) that are outside of the norm.

Based on our set of random vectors, B1, … Bm, we estimate the bivariate cumulative distribution function (CDF), i.e. the broker profile distribution. This estimation may take several forms and is investigated more fully elsewhere24. We will also examine this distribution for “high concern” modes, or alternatively find “high concern” clusters from the random sample B1, … Bm. In other words, we will look for anomalous events25 as well as generally low security clusters. Step 3. For a given container, we obtain the broker measure, bk , and compare this measure to the broker profile distribution based on two factors:

1. pBroker,k=P(Bj> bk1 and B2> bk2) where B1 denotes the first component of the two dimensional profile distribution for a random broker B and B2 the second. In other words, we are identifying the tail probability for a given broker based on this two-dimensional Broker Profile Distribution developed in Step 2 of our algorithm.

2. Is bk an element of a high, medium or low security risk cluster? We denote this security risk cluster classification for the kth broker by rBroker,k .

Figure 3 demonstrates identification of high, medium and low security clusters from the general data. A given container may have contributions from more than one broker. In this case, the broker safety score will

Component 1

Com

ponent 2

-2 -1 0 1 2 3 4

-2-1

01

These two components explain 93.29 % of the point variability.

Figure 5. Identification of Security ClustersFigure 5

Figure 3. Example of Security Clusters.

16

be the minimum of the broker safety scores from all brokers who have contributed contents to the given container. In a similar fasion, the profile distributions for each of the other six major components and the subsequent two risk measures are obtained Thus, for each profile distribution we obtain the two safety measures as summarized below:

• Shipping broker profile distribution ! pBroker,k and rBroker,k • Shipper profile distribution ! pShipper,k and rShipper,k • Container contents and manifest distribution ! pContents,k and rContents,k • Container characterization distribution ! pContainer,k and rContents,k • Route of container profile distribtution ! pRoute,k and rRoute,k • Destination port profile distribution ! pDestination,k and rDestination,k • Inspection profile distribution ! pInspection,k and rInspection,k

Step 4. In this step, the individual safety scores based on the seven identified components are combined into two vectors of safety scores.

1. pk= (pBroker,k, pShipper,k , pContents,k, pContainer,k , pRoute,k, pDestination,k, pInspection,k ) = the seven probability of tail events or anomalous behavior of a container k as defined in Step 3.1.

2. rk= = (rBroker,k, rShipper,k , rContents,k, rContainer,k , rRoute,k, rDestination,k, rInspection,k ) = the vector of seven categories of classification as defined in Step 3.2.

Step 5. Steps 2 through 4 are repeated for n randomly selected containers from a given port to obtain p1 … pn and r1 … rn. As in Step 2, we develop the multivariate profile distribution based on the n selected containers. This distribution will form the basis for comparison of a specific container at a specific port. Step 6. At each stage of the supply chain and inspection process, the profile distributions for a given container are updated incorporating the additional knowledge gleaned from the previous steps. It is possible that a particular container can transition to the “high risk” category. A useful exercise would be to map the path of a container at each stage of the process through a Markov chain argument, thereby fully utilizing the historical path. Such an analysis is not considered further in this manuscript. Summary of a model for inferential based inspection of containers. The above algorithm for information inferential based inspection of containers is scalable and adaptable to other types of inspection processes. The key objective is to perform adequate screening so that the proper containers are identified. Certainly there will be a nonzero probability of a container not being selected that should, however, the objective

17

is to determine a reasonable inspection model that significantly improves the overall efficiency of the process.

IV. Multivariate Considerations for General Threats. It is not the case that we can make a list of all security threat problems and simply order them in terms of their seriousness. The security problem, like most problems in the real world, is multidimensional. We might make a taxonomy of terrorisms something like:

Categories of Terrorism

Psychological = 1 Chemical = 2 Biological =3 Nuclear = 4

Agricultural = 5 Conventional Explosive = 6

Electronic = 7 Then, we should be interested in the

Sources of Terrorism

State = 1 Separatist/Independence Organization = 2

Economic Cartel = 3 Cultural and Linguistic Group = 4

Religious Group = 5 Distraught Individual (aka nutcase) = 6

The target chosen by the terrorists is of interest

Targets of Terrorism

Buildings = 1 Tunnels = 2 Bridges = 3 Dams = 4 Ships = 5

Trains (including inner and intra city transport) = 6 Aircraft = 7

Nuclear Facilities = 8 Forests = 9

18

Agricultural Cites = 10 Internet = 11

Power Grid = 12 Water Sources = 13 Chemical Sites = 14

Ports = 15 Individuals = 16

General Populations = 17

The lethality of attack is of obvious interest

Levels of Lethality

Nonlethal = 1 Low = 2

Medium = 3 High = 4

Massive = 5 Then, we should consider the

Complexity (Cost Level)

Slight = 1 Low = 2

Medium = 3 High = 4

Advanced = 5 We should also consider the

Threat Level

Slight = 1 Low =2

Medium = 3 Higm = 4

Imminent = 5

We note that for some of the variables, e.g.,

Figure 4. Summary of Taxonomy for Terrorism

19

lethality level, complexity level, and threat level, there is a natural ordering. For some, e.g., category and source, the numerical scoring is arbitrary. The above Taxonomy of Terrorism is summarized in Figure 4. As an example, let us consider an al-Quaida sarin attack in the New York City subway:

Category = Chemical (2) Source = Religious Group (5)

Target = 6 Lethality Level = 4

Complexity Level = 3 Threat Level = 3

As another example let us consider a distribution of incendiary bombs in the national forests by Aryan Nations:

Category = Agriculatural (5) Source = Separatist Group (2)

Target = 9 Level of Lethality = 1 Complexity Level = 2

Threat Level = 1 As another example, let us consider a Palestinian rocket attack on a commercial

airliner as it departs Reagan National Airport:

Category: Conventional Explosive (1) Source = Separatist/Independence Group (2)

Target = 7 Lethality Level = 4

Complexity Level = 4 Threat Level = 1

As a final example, let us consider the insertion by al-Quaida of a data destructive worm into a major transactional file server of Goldman-Sachs.

Category: Electronic (7) Source = Religious Group (5)

Target = 11

20

Lethality Level = 1 Complexity Level = 4

Threat Level = 2

Here, the allocation of resources for inspection and other security measures is seen to be a difficult problem. This is complicated by questions of aggregation. For example, no Palestinian group has ever carried out a terrorist act in the United States. However, Palestinian groups are not the only source for a rocket attack against commercial aircraft. Other sources include the Columbian drug cartel, the Iranians (the US downed one of their commercial aircraft in the Gulf a decade ago26), extortionists, nutcases, some country using a false flags attack to increase tensions between America and, say, the Palestinians. When deciding whether to put anti-missile systems on commercial carriers, all sources of a rocket attack must be aggregated.

Generally speaking, within one category, such as guarding against an attack by an airline passenger, ordering may not be a problem. However, as we move across the categories of attacks, ordering is a big problem. When the Department of Homeland Security warns Americans against the possibility of al-Quaida attacks during, say, political conventions, but then does not raise the color coded threat level, this is simply a manifestation of the fact that ordering of multivariate data is not straightforward.

The world is multivariate and neither naturally nor readily ordered. Some considerable intuition is required for decision making concerning allocation of security resources. One thing statistical science enables us to do is the presentation of a multivariate matrix for decision makers to use in their decision making. All this being said, we need to observe that al-Quaida has favored massive explosions in structures containing large groups of individuals. Were al-Quaida taking a game theoretic approach, it might swap target types and modalities of destruction constantly. Such a strategy might be almost a necessity if our Homeland Security strategies were mature and effective. However, al-Quaida is following the manufacturing strategy of “keep it simple and do what you know how to do.” There is little doubt, therefore, that a disproportionate amount of inspection resources ought to be expended in guarding against massive explosive attacks against structures.

V. Inspection of Groups and Opinions. When it comes to the inspection of individuals, some perceived loss of civil rights must be expected. Following the destruction of the Alfred P. Murrah building in Oklahoma City in April of 1995, in which the fatalities were approximately 5% of those experienced on 9/11/2001, an argument could have been made that persons with the profile of Timothy McVeigh should have been judged to make up the high risk subpopulation. Deciding whom that profile encompassed would have been difficult. Young white Christian males, veterans, disturbed by the assault on the Branch Davidian in Waco? A very large group indeed. From a practical standpoint, the Oklahoma City bombing appears to have had a natural suppressing effect on further assaults on major civilian targets. Persons sharing

21

McVeigh’s views concerning Waco generally recoiled at the enormity of the Oklahoma City bombing27. Had the “militia” movement been enhanced by the Oklahoma City disaster to the point of building up a large group of homicidal fanatics, the United States would have been in real difficulty. Very quickly, our airlines would have been overwhelmed by inspections both of passengers and baggage. Agricultural suppliers would have been subjected to severe restrictions on the selling of such materials as ammonium nitrate, even to old customers. A civil war along the lines of that described by futurist Ian Slater would have been a real possibility.

It would be difficult to find non Muslims sympathetic to the actions of al-Quaida. Indeed, Shias have themselves been targeted in Pakistan and Iraq by al-Quaida terrorists. So far, the only potential recruiting ground for al-Quaida in the United States is the Sunni community. To date, American Sunnis have overwhelmingly rejected al-Quaida and sided with their fellow Americans. This fact is understood and appreciated by the American non Muslim population. Following the attacks of 9-11, there was not one single case in which an American Muslim was killed in revenge by any American Christian. America would seem, in this regard, a nearly ideal multicultural society.

From the standpoint of the livability of America, this unwillingness of American Sunnis to form a fifth column of support for al-Quaida is essential. However, we know that there have been exceptions. For example, a Wahabi penetrated mosque in Fort Worth did have a fringe which actively supported al-Quaida.

The pouring of money into America to build Wahabi schools, mosques, and fundamentalist social structures has not been helpful for the amity of the United States with its Muslim citizens. Without such Saudi interference in the social structure of the United States, the minimal support al-Quaida enjoys among some American Sunnis would be even less than it is. There comes a boundary where such interference goes beyond religious freedom to the brazen meddling by a foreign power in the structure of the United States. In the minds of many, the Saudis crossed this boundary a very long time ago. Although it is said that al-Quaida functions without support from any state, there can be no doubt that it has been massively financed by unofficial sources within Saudi Arabia. It can also be observed that the line between official state supported Wahabism and the goals of al-Quaida is a blurred one.

One matter which needs to be mentioned is that American Muslims are not in sympathy with America’s perceived subsidy of Israeli domination and expansion on the West Bank. Israeli incursions into places such as Jenin are extremely upsetting to many American Muslims. Unless the Bush “roadmap” for the creation of an independent connected Palestinian state with adequate water rights is followed, with some speed, there may come a point where the American Sunni community will begin to produce significant numbers of al-Quaida sympathizers. If this point is ever reached, the danger level to the United States will have increased substantially. A major strength America has against al-Quaida is the fact that American Sunnis do not support al-Quaida.

22

Should this change, it would be quite harmful to the interests of the United States.

VI. Inspection of Foreign Visitors. The problem of screening visa applications for terrorists is closely connected with the problem of screening containers for terrorist materials: in both instances, the government must screen a large number of items in a timely fashion and, with incomplete data, make a decision about whether or not to allow entry into the country. Taking advantage of this fact, we reason that the development of a solution to one of the problems would be, in itself, great progress towards the solution of the other.

Like the problem of container inspection, the problem of visa inspection is vast in scale; in 2000 the State Department, the department in charge of processing visa applications, granted 7.1 million visas to 10 million applicants at some 200 consular offices28 (among those granted visas during this time period were the majority of the 9-11 pilots29). Moreover, in 2000, 17 million visitors a year came from one of the 29 countries for which no visa is required30. By some estimates the total number of foreign visitors to our nation in 2000 was approximately 31 million.

Like the problem of container inspection, the problem of visa inspection is exacerbated by insufficient data, insufficient data sharing, fraudulent data, and inadequate policies. Data is insufficient in the sense that reasons for denying/approving visas requests are relatively slim. Only after the 1993 World Trade Center bombing, in which the known terrorist Sheik Omar Abdel Rahman was granted a visa, were consulates required to check visa applicants against a list of known terrorists31. Aside from a list of known terrorists, consulate officials have no other reliable data to refer to when screening for terrorists.

Insufficient data sharing exists among the federal agencies in charge of national security, most notably between the INS and intelligent agencies (six months after September 11th, INS approved Mohammed Atta’s and Marwan al-Shehhi’s request for new student visas despite their deaths in the terrorist attacks32). Such steps have been taken to help alleviate this problem (Most importantly the Border Security Act of 200233), but our ongoing efforts are required.

Fraudulent data exists in at least three major ways: (i) the reliability of American intelligence, (ii) visa applications are rarely corroborated with additional data (in fact, the only way a known terrorist can be denied a visa application is if he applies under his known alias), and (iii) corruption within consulate offices (On 21 May 2002, Abdulla Noman, a Yemeni citizen and former long-term employee of a U.S. consulate in Saudi Arabia, pled guilty to bribery in the issuance of 50 to 100 visas between September 1996 and November 200134) and the problem of falsified documentation (Media sources report that Canada’s Department of Foreign Affairs investigates some 1,000 passport frauds each year, including those using altered stolen passports, fraudulently

23

completed passports that had been stolen in blank, and those using false documentation to obtain a genuine passport35).

Inadequate policies, are the result of a system that is engineered to scan for visa applicants who appear likely to settle illegally and not those who may be terrorists. Fortunately, there is a great deal of overlap between the two groups of people: people who are likely to settle illegally in this country are usually young, have few family connections, and have little or no job prospects in their home countries. This profile generally fits that of possible terrorists. As such, the shift in central policy may not be as drastic as it otherwise might have been.

Terrorists may attempt to bypass entering the country in a legal matter and instead attempt an illegal crossing at a poorly guarded location somewhere along the United States 8,000 miles of land and sea border. While such a chosen means of entry remains conceivable, given that all the members of the 9-11 contingent entered the country legally and that plenty of weaknesses in the system still remain to be exploited, it seems unlikely that a terrorist would choose an illegal method of entry. Additionally, a passport, even a fraudulent one, would provide a terrorist sufficient identification documentation to obtain other types of materials.

VII. Inspection of Airline Personnel. It goes without saying that all airline personnel should be vetted regularly. Such personnel might be targeted by extortion, bribery and blackmail. Polygraphing at random times (using a “with replacement strategy”, i.e., a person is always at the same risk of being checked, regardless of past history of checking) is a distasteful and costly, albeit necessary, protocol for airline and security personnel. Protocols whereby personnel under duress might transmit unobtrusive panic signals to responsible authorities should be established. Personnel who observe a colleague behaving very atypically should have means for reporting the fact. In the age of terrorism, “Don’t ask, don’t tell” is not an appropriate mode of operation.

VIII. Inspections against Bioterrorism. The importation of persons infected by a particular bacterial or viral agent is one of concern, since it is relatively simple and inexpensive to achieve. Bringing into the United States carriers of such diseases as smallpox would be relatively easy. Even careful inspection of persons passing through airport terminals might be of only limited value, assuming that the carrier was reasonably well educated and on a suicide commission. Moreover, the disease could be introduced into unknowing persons south of the United States border who were in staging assemblies for transportation into the United States by (possibly complicit) smugglers of humans. Inoculation against smallpox of the general American population may well be in order. The assumption of extinct diseases is no longer a valid one. Moreover, the introduction of smallpox by actual infective persons assumes a level of scientific primitivity of al-Quaida which is probably overly optimistic. Cultures of

24

smallpox may be easily put into aerosol containers for dispersal into shopping malls, athletic stadia, etc.

At a higher level of scientific sophistication, we have weaponized anthrax. Here, national vaccination does not seem a feasible policy. There is some thought that anthrax vaccination may be a cause of Gulf War Syndrome36. We know from a long history of its implementation the negative effects of smallpox vaccination pose very low risks of mortality and serious long term damage to the human organism. We have no such reliable assurances for anthrax vaccination. Furthermore, we know that certain antibiotics such as Cypro, if given within a reasonable time from ingestion of spores, are effective in preventing disease. There seems to be no good procedure for detecting concealed weaponized anthrax spores. What would happen if, say, a thousand envelopes with weaponized anthrax spores were sent to population centers all over this nation? Clearly, such a quantity of the weapon would imply involvement by a nation state, vulnerable to nuclear retaliation. With the smaller number more likely due to terrorist attack, say 20 envelopes, the situation could be dealt with by rapid public health intervention with decontamination and prophylaxis medication. A good automatic detection procedure for anthrax in the mails, though not presently in use, is highly desirable.

Further, more sophisticated weapons created via genetic engineering are a problem of an entirely different level of seriousness. Such weapons, actively developed by the Soviet Union were not deemed feasible weapons, since dreadful epidemics could come round and destroy the population of the delivering nation. With al-Quaida, there seems to be little reluctance for inflicting collateral destruction of even sympathetic populations. Doomsday scenarios with sophisticated genetically designed bioterror agents are so far only the subjects of medical fiction. There is reason to assume that at some point fiction may well become reality. In order to deal with the spread of epidemics, known and hypothesized, across the nation, we propose simulation strategies. Here is a point where it is important to think beyond the inspection problem to the epidemiology of disease spread. There are currently under development simulation programs37 for the spread of an epidemic across the nation reasoning from the standpoint of the terrorist game master.

IX. Inspection and additional areas of Homeland Security. The “Stinger Problem”. Until a satisfactory procedure for assuring that explosives are not contained in baggage or containers, aircraft can still be blown out of the sky. Furthermore, aircraft can be attacked by shoulder-fired missiles around most airports. This is particularly the case with “in city airports” such as Reagan National in Washington, D.C. The costs of removing civilian populations from around the flight paths of departing aircraft are simply too high. Law enforcement officers need to be trained to observe irregular comings and goings, particularly of persons from high risk groups, in areas deemed to be possible launch sites. There is currently no substitute for

25

the active looking for terrorists and penetrations of their organization. If “stinger attacks” are to be koshed, this will most likely be achieved by making terrorist seeking an integral part of the training of law enforcement officials. Municipalities, already stressed with financial shortfalls, cannot be expected to deal with anti-terrorist surveillance as being an unfunded federal mandate. Federal funds should be provided for this purpose. Attacks on Nuclear Power Facilities. It could be argued that there is no particular reason for terrorists to bother with acquiring nuclear material abroad, forming it into dirty bombs, and hiding these in containers for shipment to the United States. There are readily available supplies of nuclear material within the United States. For example, there are 104 nuclear power plants in the United States38; each of these is a potential “dirty bomb”--- worse, a potential mini Chernobyl. If the cooling mechanism is neutralized and safety devices are overridden, then a classical “China Syndrome” event might be induced which has an effect worse than that of a very large dirty bomb with the bonus of the pollution of aquadiers over a large area. The long and short term effects would be not unlike those associated with the explosion of a nuclear weapon.

Map 1 – Nuclear Power Plants near Population Centers

26

The commercial nuclear reactors in Map 1 are located within approximately 20

miles of a population center (defined as greater than 50,000 people in 2000)39.

An attack on a nuclear facility could come as the result of an inside job. For this reason, continual vetting, including polygraphing, should be taken as an acceptable cost for the benefits of nuclear power (20% of the electricity in the United States is generated by nuclear facilities40). One likely modality for taking a nuclear power plant and using it as a weapon is an action group of no more than 15 individuals. The training methods developed by David Stirling during World War II have been honed and improved by such units as the SAS and Delta Force. Such training camps in Afghanistan, Libya and Sudan have been in regular operation for some years.

Within a reasonable radius of a nuclear facility, the unusual appearance of persons satisfying a variety of profiles should not pass unnoticed by law enforcement authorities. Checkpoints should be established in concentric circles around the plant

27

and persons passing should be reliably identified. Such procedures should prove a valuable hindrance to persons “casing” the plant. Happily, in many cases, such security measures are already in use.

If an action group should succeed in obtaining the staging necessary (including vehicles) for an assault on a power plant it might be able to achieve its goals. Putting a specially trained platoon of Military Police in each of the 104 nuclear power plants in the United States would require in excess of two brigades. Even if the Nation could make such a commitment of military forces, the record of static forces being able to withstand a well planned and staged action force assault which need take and hold a facility for less than half an hour is not good. Recall also that al-Quaida action groups will require no exit strategies. It would appear that the best hope for foiling an attack on one of our nuclear facilities is to disrupt it in the planning stages by careful screening including profiling. Naturally, certain static measures are called for, including defended watchtowers and barriers to truck assault are low cost items which must be used to supplement intelligence gathering strategies.

From the Kemeny Commission on the Accident at Three Mile Island, we read

At this stage we approach the limits of our engineering knowledge of the interactions of molten fuel, concrete, steel, and water, and even the best available calculations have a degree of uncertainty associated with them. Our calculations show that even if a roeltdown [meltdown?] occurred, there is a high probability that the containment building and the hard rock on which the TMI-2 containment building is built would have been able to prevent the escape of a large amount of radioactivity. These results derive from very careful calculations, which hold only insofar as our assumptions are valid. We cannot be absolutely certain of these results.41

Most would not find much assurance from this paragraph. The authors admit that their conclusions are based on models which they are not certain apply to the situation at hand. Nevertheless, the very confusion concerning the vulnerability of nuclear plants in the United States probably lowers the likelihood of an attack on them by al-Quaida. Al-Quaida is unlikely to undertake an attack where there is considerable doubt that the attack will achieve its objective even if all the breaks go in al-Quaida’s favor. Careful circles of security around the plant, plus dragon’s teeth blockers against trucks planning to crash into the control room area may well lower the risk level of attacks on nuclear facilities to the point where resources should be expended on other modalities of attack. We believe that the probability of attack by an action group on an American nuclear power plant is small. Attacks on Long Road Tunnels Passing Under Water. Approximately 3.97 million tons of ammonium nitrate were sold in the United States in 2002. Of the 3.97 million tons, approximately 2.47 million tons were sold for use as commercial explosive

28

(accounting for approximately 98% of US industrial explosive sales)42, while the remaining 1.5 million tons were sold for agricultural use43. Only two states, South Carolina and Nevada, require any kind of systematic record keeping of agricultural ammonium nitrate44. The explosive power of ammonium nitrate is substantial, approximately 2/3 that of TNT.

On April 16th 1947, a French freighter named the SS Grandcamp attempted to dock in Texas City, Texas on Galveston Bay. The ship was making a delivery of ammonium nitrate fertilizer when the deck of the ship caught fire. Oblivious to the dangers of ammonium nitrate, the crew continued to dock. Later that morning, the freighter exploded creating a tidal wave that enveloped the shore and an explosion at kiloton scale. Many refineries that were located on the waterfront also caught on fire and continued to burn for 6 days after the explosion. It was estimated that a total of 567 people were killed, but it is believed that this number underestimates the total amount of casualties from this incident45. More recently, 4,800 pounds were sufficient to bring down the Alfred P. Murrah building in Oklahoma City in 199546. It should be noted that this was an open air blast, where much of the force is vented to the atmosphere. Ammonium nitrate was also the agent used in the al-Quaida related Bali bombing in 200247.

An ammonium nitrate bomb carried in a truck could easily crack such a tunnel, with the water rushing in and killing almost all the persons in transit, and rendering repair difficult and costly. Restrictions on trucks in these tunnels vary. For example, it would appear there is no reason why an eighteen wheeler “milk carrier” could not be loaded with an ammonium nitrate slurry and detonated in the Lincoln Tunnel.

Inspection of trucks entering a tunnel is expensive and not as effective as simply

not allowing trucks to enter the tunnel in the first place. Allowing trucks into long under water tunnels at this point in our history would appear unwise. However, an important function of the Lincoln Tunnel is to bring food from New Jersey to New York City. Not allowing trucks to bring this food through the Lincoln Tunnel would

29

certainly have serious consequences. Disruptions would be required if trucks were disallowed in tunnels such as Lincoln.

There is still the troubling reality that even an SUV can be packed with enough explosive to threaten the structural integrity of a tunnel. A continuing thread in this report is the use of profiling to find suspicious persons doing suspicious things. Seeking out terrorists is clearly more cost effective than setting up turn key rules to detect things which might become instruments of destruction.

Table 3 – Major Underwater Tunnels

Brooklyn-Battery (1950) New York, NY 9,117 East River Holland Tunnel (1927) New York, NY 8,557 Hudson River Ted Williams (1995) Boston, MA 8,448 Boston Harbor Lincoln (1937, 45, 57) New York, NY 8,216 Hudson River Thimble Shoal (1964) Northampton, VA 8,187 Chesapeake Chesapeake (1964) Northampton, VA 7,941 Chesapeake Fort McHenry (1985) Baltimore, MD 7,920 Baltimore Har. Hampton Roads (1957) Hampton, VA 7,479 Hampton Rd. Baltimore Harbor (1957) Baltimore, MD 7,392 Patapsco Riv. Queens Midtown (1940) New York, NY 6,414 East River Sumner (1934) Boston, MA 5,653 Boston Harbor Detroit-Windsor (1930) Detroit, MI 5,160 Detroit River Callahan (1961) Boston, MA 5,070 Boston Harbor 48 Attacks on Bridges. Of the 600,000 bridges in the United States, a report published by Parsons Brinkerhoff and the Science Applications International Corporation classified 451 bridges as critical for the purposes of national security49. These 451 bridges consist of 19 suspension or cable-stayed bridges, 48 through-truss or arch bridges, and 384 “other” types, mostly girder and beam. The vulnerabilities of these bridges are, of course, variable. The destruction of most of these, however, is not likely to take place as the result of some sort of quick in and out action. Rather, careful planning is to be anticipated. There are critical locations where explosives can be placed to effect maximal destruction. From this standpoint, a bridge’s destruction is most readily accomplished by an inside job where the explosives are collected and placed over a period of time.

Accordingly, once again, we see the importance of profiling individuals who are in a position to place charges on a bridge. The necessity of vetting employees in positions where damage to a bridge might be affected is clear. Keeping a sufficient level of vigilance may well be sufficient to discourage attacks on bridges. However, the amount of expertise required to destroy a bridge is well within the capabilities of al-Quaida personnel with training in civil engineering (we recall that Osama bin Laden himself holds a degree in civil engineering50, as do others of his forces).

30

However, the modalities of bridge destruction are different than those employed

in the attacks of 9-11. An aircraft loaded with fuel crashing into the Golden Gate Bridge would not likely bring it down. The vast majority of the explosive force would be dissipated to the atmosphere. On the other hand, there are rough and ready techniques for focusing explosions in relatively open areas - Timothy McVeigh employed such in the bombing of the Alfred P. Murrah Building in Oklahoma City. Note in the photograph below how much damage might be done to one of the great arches of the George Washington Bridge by focusing of a charge in a vehicle passing through an archway. Charges carrying a fraction of the explosive power of a fully loaded 747, if the charges were strategically placed, would likely bring down an arch. However, even a modest amount of care and vigilance would appear to render the destruction of a bridge impractical when compared to other targets.

George Washington Bridge: New York, New York.

31

To some extent, since major bridges have not been brought down by sabotage since the Second World War (though large bridges have been destroyed by air attacks both in Serbia and Iraq), we may be overly optimistic about the difficulty of terrorists bringing down, say, the Golden Gate Bridge. To counter this threat, a “red team” approach would be appear to be particularly useful when analyzing the potential for effective bridge destruction. Teams skilled in demolition plan the simulated destruction of bridges. Blue teams investigate counter strategies and develop new ones.

A simultaneous attack on a span of the George Washington Bridge and the Lincoln Tunnel could cause severe impact on the ability of Manhattan to be sustained with food, fuel, and other essentials. That this might actually be achieved by such a simple strategy as loading trucks with ammonium nitrate slurry is one that should give us all pause.

Attacks on Railway Systems. The massive attacks on interurban railway in Madrid on March 11 of 2004 have reminded us of the vulnerability of public commuter systems. 191 persons were killed and 1,600 wounded in this incident. Returning to the question of sabotage on bridges, it should be noted that rather constant high traffic is a natural deterrent to careful planting of charges on key structural points of road bridges. For most railroad bridges in the United States, this high traffic deterrent does not exist. Hours may pass between train transits over, for example, gorges in isolated parts of the country. Passenger rail travel between most cities has been largely replaced by air. However, commuter trains on the eastern seaboard are significant. There is no reason why a Madrid type attack might be impractical for, say, New York City, other than the vigilance of American rail workers, police, and the public in general. Could unattended

32

back packs pass unnoticed in rush hour traffic in New York as they were in Madrid? Probably not, and for this reason al-Quaida may well decide such attacks in America could expend scant personnel to no very useful purpose. The use of rail lines to carry explosives into the center of an American metropolis is

a more realistic problem. The checking of containers on foreign flag ships is addressed

elsewhere in this paper. Many of the logistical problems of a seamless security system based

on container identification should be much less when one is discussing containers shipped

on rail within the United States. At this moment, however, our level of security checking on

rail containers is uncertain. Can we discount the possibility that a massive explosion in a

railway tunnel or on a railway bridge could be engineered by a number of containers

containing huge quantities of ammonium nitrate? Probably not. However, al-Quaida seems

keen on killing large numbers of Americans. Consequently, one should expect such attacks

would be attempted at locations where the number of civilians killed would be substantial. Attacks on Dams. Among the approximately 78,000 dams within the National Inventory of Dams, there are approximately 10,000 dams classified as “high-hazardous” 51; the failure of any one of these dams would most probably lead to loss of life. The impact of the failure of a major dam would be staggering. Consider the loss of the Glen Canyon Dam in Arizona (the second highest concrete-arch dam in the US it is 16 feet shorter then the Hoover Dam52), which holds the second largest US Reservoir (Lake Powell – 33,300,000 cubic meters53). Hypothetically, its’ failure could lead to the failure of the Hoover Dam, which lies about 350 miles downstream on the Colorado River. The cost of replacing both of these dams would be exceedingly high, but would pale in comparison with the long-term disruption to the region’s electric and water supplies; the Hoover dam provides approximately 4 billion kilowatt hours a year and holds the largest reservoir and Glen Canyon Dam provides approximately 3 billion kilowatt hours a year and holds the second largest reservoir. The loss of approximately 7 billion kilowatts a year and the two largest reservoirs in the country would devastate the entire southwest region. Bringing down either of the dams would be exceedingly difficult and numerous safety measures are in place to protect against attempts. Currently, 18-wheel trucks are prohibited from crossing the crest of the Hoover Dam. Construction is on schedule to complete a detour near the Hoover Dam that would eliminate all traffic over the crest of the Hoover Dam by 2007. Additionally, 24 hour security boats patrol the waters a mile upstream and half a mile downstream from the dam. However, most dams, including the Glen Canyon Dam, have none of these preventive measures in place. Such large dams as the Hoover must be considered to be target worthy by al-Quaida. Careful random vetting, including polygraphs, of all personnel in a position to participate in their destruction should be considered a necessity. The use of rapid action SAS type terrorist action squads should not be lightly discounted. There is the added consideration that such action squads would not have to plan for exit strategies. The destruction of a large dam is much more difficult than blowing up a tunnel. However, we recall from the experience of Vickers engineer Barnes Wallis in the

33

destruction of the Ruhr dams during World War II that careful design of charges and their placement provides for multiplier effects54. Sixty years have passed since the missions of the famous RAF “Dam Busters.” The technology relevant to the destruction of dams must be carefully reviewed by our “red team” experts, for it is reasonable to assume it has been reviewed by al-Quaida.

Attacks on Water Reservoirs. The “safe limit” of PCBs is taken to be 0.5 parts per

34

billion55. Levels of PCB production have diminished in recent years since peaking in 1970 when 86 million pounds were produced. For the six year period 1987-1993, the entire release of PCBs to streams, lakes and rivers was only 784 pounds. PCBs have a very long half life and because its release is so heavily penalized, it is highly likely that stores in the thousands of pounds are kept privately and clandestinely at various sites. It would be an easy matter to drive an 18 wheeler loaded with PCBs to an isolated part of a reservoir and, consequently, bring the PCB concentration level up to hundreds of parts per billion. The drinking water supply of a large metropolitan area could be polluted for years. Even much smaller quantities could be released into reservoirs all over the country, with the information of the release made public on al-Quaida friendly web sites by the terrorists weeks after the release. For good measure, they could double or triple the numerosity of sites actually contaminated. It would appear that here local law enforcement is in the best position to promote vigilance against the dumping of toxic materials into municipal reservoirs. Some enhanced federal funding for training against such attacks would seem a good investment. Attacks on Forests. Dry summers provide the terrorists with an excellent opportunity for having groups of “tourists” traveling separately through the national parks and forests and discretely planting thermite devices to go off at the same time, say a week after the first one is set. Such devices can be built to weigh no more than a kilogram. Each SUV could easily deposit 50 such devices. Again, profiling and observation would seem to be the key to prevention. Groups of vacationing nuns are unlikely to present the same kind of threat as would some others. The laws concerning the right to inspect vehicles should be modified so that anyone entering certain zones is liable for vehicular inspection. Here, profiling of individuals is a matter of paramount importance. Entrance stations to national parks and forests are, in many cases, already in place.

X. Dependency of our National Economy on Electronic Communications

The economic health of the nation is dependent on the unfettered flow of information and resources. Cyber commerce and governmental use of networks provide an increasingly crucial element for facilitating such flows, adding a dimension to security requirements which is currently barely recognized and not properly assessed.

For 6000 years, money has been used to replace or supplement barter as a means of conducting business. Today it is possible for corporations and individuals to function

35

without utilizing even paper fiat money. All transactions can be carried out through “wire transfers,” credit cards, etc. “Money could flow instantly between countries without being traced”56. In a sense, then, money has become a political and psychological virtual entity passed about over networks, principally electronic in nature. Its value is based on an implied agreement that it be convertible into goods and services at rates which fluctuate within politically determined boundaries57 58. The diagram illustrates the dependence of our natural economy on the electronic communications network.

Although physical attacks, such as those on the World Trade Center, have had substantial direct costs (estimated by the Conference Board to be $83 billion and a loss of 57,000 jobs), the indirect costs often have been overlooked. The substantial ramping up of domestic and international security measures, including the creation of a new department within the executive branch of the federal government, represent substantial investments in resources. These resources have historically been diverted to other purposes that are more productive in a more secure world. U.S. corporations spent about $12.3 billion to simply clean up damage from computer viruses as recently as 2001 (total business capital expenditures were about $1.1$ trillion in 2001). Even with the increased threats to the U.S. economy due to a loss in cyber trust (real and imagined), market forces are not enough to provide the incentives for adequate private investment necessary to secure U. S. computer systems.

Counterfeiting of fiat money may cause damage ranging from slight to cataclysmic. It can be argued that the customary annual increase of the money supply by the U.S. Treasury decreases the value of the dollar. However, the ``drip-drip" denigration of currency value caused by the US Treasury slowly expanding the money supply pales in comparison with a massive attack by a sophisticated counterfeiter. Even the rumor of such an attack could have dire consequences. For example, suppose it were believed that there had been a worldwide flooding of perfectly counterfeited one hundred dollar bills. Even worse, suppose that it were believed that a number of banks and corporations had (with or without their knowledge) received a 10% inflation of their real dollar lines. The psychological attack on the value of the U.S. dollar would be perceptible. How many such attacks could take place before the value of the dollar measured against the Euro or the Swiss franc would fall dramatically?

Well over 25% of the population of the United States is dependent on disbursements from the federal government. Many of these persons are without significant savings. What would be the effect of a shutdown of Social Security, say, for even one monthly payout cycle? Rents would be unpaid, bills unpaid, food distribution itself would be significantly impacted. Loss of confidence in this one agency of the government would transfer into some loss of confidence in the government as a whole. And, as noted above, money is now almost completely based on confidence in the issuing country59 60 61.

36

The Cyber Security State of Affairs. Individual firms often have no incentive to invest in cutting edge cyber security because they lack the means to assess the economic value of defense mechanisms. Also, introducing new technology can disrupt normal business operations and may require updating of existing technology, especially monolithic legacy systems that are proprietary. Finally, a part of the problem lies in moral hazard, meaning that people (firms) with insurance (defenses perceived as adequate protection) may take greater risks than they would do without it. The lack of incentives for companies to respond adequately to the security challenge may require substantial federal regulation and intervention. The problem is to see how this regulation can be designed in an economical and efficient fashion with minimal interference of the natural flow of commerce.

Many of the steps taken by financial institutions to achieve economies may work against the security of the electronic networks essential to modern commerce. One such step is “just in time production and delivery.” By this paradigm, inventories, redundancies, and the timing for fulfillment of financial obligations are kept to a bare minimum, creating evident potential of cascading shocks to our financial system.

Current cyber trust activities concentrate primarily on a first line of defense, dealing with immediate networking issues including detection of attacks such as worms and Denial of Service, security monitoring, network partitioning, quarantine and polycultural code. Being uninformed about the exposure and benchmarks of higher layers up to the business interests, however, design and management might very well miss the high level target of security, ignoring the economic impact of security measures, leaving the system vulnerable to unrecognized threats, and letting subtle attacks go unnoticed. The Economics of Cyber Security. A recent National Research Council report notes that U.S. computer systems are increasingly vulnerable to cyber attacks, partly because companies are not implementing security measures already available. “From an operational standpoint, cyber security today is far worse than what known best practices can provide,” said the Computer Science and Telecommunications Board, part of the National Research Council.

What might be the short run and long term costs to the nation of providing a secure computer system that would protect us from a digital Pearl Harbor and ``death by one-hundred cuts?" Clearly the costs of criminal cyber activity are difficult to identify. Part of the reason is that the measured financial losses from cyber attacks, implementing patches, reformating hard drives, and investigating the source of the attack are only a small portion of the opportunity cost of such attacks. ``If you're Cisco and you're making $7 million a day online, and you're down for a day, you've lost $7 million…"62 The ``Love Bug" virus (the virus was simply four lines of code) did damage in the billions of dollars. ``…[T]he cost of the `Love Letter' virus, which affected everyone . . . ranges between $4 billion and $10 billion." 63

37

The Price for a Faster Pace. Each day hundreds of billions of dollars of financial transactions take place in America electronically. Again, such transactions take place under the assumption that appropriate payment transfers will be made. If the network for such transfers were disabled, even temporarily, the effect on our economic system would be severe. Our system of payment has become largely ``just in time." Funds marked for transfer on a certain date are transferred on that date. These funds are quickly disbursed by the recipient institutions for other previously agreed upon transactions. And so on.

The possibilities of cascading shocks to our financial system are clear. The ``just in time" nature of financial transactions is pursued because of cost savings and convenience as in delivery scheduling in manufacturing. In a manufacturing setting, there are isolated examples, e.g., Lucent, where an inability to make on time delivery without inventory buffering has caused serious problems. The bottom line argument works to eliminate the safeguards usually associated with the maintenance of inventories. In the financial arena, federal regulations requiring inventories and buffering may be necessary to produce a level playing field. Beyond Petty Theft: the New Attack. The NASDAQ is the nation's largest electronic stock market, and largest stock market. In 2003, an average of 1.7 billion shares per day from about 3,600 listed companies was traded, with an annual total of 424 billion shares. In dollar terms, this amounts to 47 million dollars per minute, 28 billion dollars per day, or an annual total of 7 trillion dollars. A value that is larger than the entire dollar amount of many countries' economies. This amounts to about 50% of the share volume, compared to 40% for the New York Stock Exchange, and 10% for the American Stock Exchange.

In order to handle such a voluminous amount of transactions, an efficient and secure system is necessary to ensure smooth market dynamics. The technology facilitating this electronic market is an open architecture system that supports 11,000 traders and 790 firms in more than 1,000 locations. There are more than 2 million users in 83 countries that depend upon data from the NASDAQ system to do business. The 11,000 traders access the market through special NASDAQ Workstation II devices. With 99.98% uptime since 1982, and being the only stock market to achieve ISO 9001 Quality Standards, the system's robustness easily speaks for itself.

Even with such high quality standards, the NASDAQ does not lack in performance. The time to enter and gain confirmation of an order is approximately 1/5 of a second. NASDAQ market information reaches approximately 350,000 terminals worldwide in 500 milliseconds or less. Furthermore, an easy way to compare this electronic market to a traditional market is by comparing the order execution speed of the NASDAQ and the New York Stock Exchange, 4.6 seconds for the former and 20.7 seconds for the latter. All in all, the sheer volume of the NASDAQ and the speed at

38

which this volume moves, creates an incredibly fluid system that offers an opportunity to make or lose millions of dollars in a matter of minutes. If the system is compromised, the amount of value lost could be colossal.

XI. Planning for the Unexpected. The use of American commercial aircraft as missiles on 9-11 was bold rather than innovative. The failure to guard against such an eventuality must be regarded as one of the major intelligence disasters in modern history. al-Quaida had already attempted the destruction of the World Trade Center by explosives some years earlier. Looking at the intervening years and the missed opportunities to carry out hard and soft simulations, one is reminded of a Greek tragedy where solutions are obvious to the audience but defy the analysis of the actors. Our intelligence community knew that for al-Quaida the World Trade Center was a target of high priority. One strategy which would have worked is to have posed the following: Given that al-Quaida puts a high premium on the destruction of the World Trade Center, list ten ways it might try and achieve this goal; then put each of the ten ways before panels for discussion and modification. Does anyone doubt that such an approach would have led to something close to the attack actually employed? And if conjectured, would it not have been a straightforward matter to develop effective countermeasures? We need to suggest ways where 9-11s can be prevented in the future. We need to “inspect” the grand stream of information, historical, scientific, economic, religious, sociological, etc. and look for markers which can be made part of the big picture. No single science provides a well developed means for achieving such an analysis. Nevertheless, means for performing such an analysis must be developed.

References 1 Kahn, Herman (1961).On Thermonuclear War. Princeton: Princeton University Press, 668 pages. 2 Kahn, Herman (1968). On Escalation: Methaphors and Scenarios. Baltimore: Penguin Books, 308 pages. 3 Weight, Richard (1998). The Right to Belong: Citizenship and National Identity in Britain, 1930-1960. New York: I.B. Tauris, 277 pages. 4 Lewis, Bernard (2002). The Assassins: A radical Sect in Islam. New York: Basic Books, 176 pages. 5 Hearing on Saudi Arabia terrorist financing. House International Relations Committee, March 24, 2004. Accessed: July 9, 2004 <http://web.lexis-nexis.com/universe/document?_m=f21c6d854976af157618e920e66992ae&_docnum=4&wchp=dGLbVlb-zSkVb&_md5=08ef324513cc2c27095c03dc59a36dfe> 6 Thompson, James R. and Koronacki, Jacek. (2001).Statistical Process Control: The Deming Paradigm and Beyond. Boca Raton: Chapman Hall/CRC Press, 431 pages. 7 Transborder Surface Freight Data. Bureau of Transportation Statistics. Accessed: June 23, 2004

<http://www.bts.gov/ntda/tbscd>

39

8 The Intermodal Transportation Database. Bureau of Transportation Statistics. Accessed: June 23, 2004 <http://www.transtats.bts.gov/tables.asp?table_id=>

9 Admiral Loy, James M., and Captain Ross, Robert G. US Coast Guard. “Global Trade: America’s

Achilles’ Heel” Journal of Homeland Security. Accessed: June 23, 2004 <http://www.homelandsecurity.org/journal/> 10 Gerencser, Mark, Jim Welnberg and Don Vincent (2003). “Port Security Wargame: Implications for U.S. Supply Chains.” Booz Allen Hamilton, Inc. (www.boozeallen.com). 11 See 16. 12 Bacheldor, Beth and Laurie Sullivan (2004). “Target Joins The RFID Race.” Information Week. http://informationweek.securitypipeline.com/news/18200270. Accessed July 12, 2004. 13 EPCglobal, Inc. See http://www.epcglobalinc.org/ Accessed July 12, 2004. 14 Palm Pilot CZT Spectometer. Los Alamos National Laboratory. Accessed: June 25, 2004 <http://www.lanl.gov/partnerships/license/techs/palm_czt_spectrom.htm> 15 Summary - Assessment of the Practicality of Pulsed Fast Neutron Analysis for Aviation Security. The National Academy of Sciences. Accessed: June 23, 2004 <http://www.nap.edu/catalog/10428.html> 16 Kalton, Graham and Dallas W. Anderson (1986). “Sampling Rare Populations.” Journal of the Royal Statistical Society, Series A. Vol. 149, pp. 65-82.

17 Czaja, Ronald F.,Cecilia B. Snowden, and Robert J. Casady (1986). “Reporting Bias and Sampling in a Survey of a Rare Population Using Multiplicity Counting Rules.” Journal of the American Statistical Association, V. 81, p. 411-419. 18 Weerahandi, Samaradasa and Robert G. White (1992). “Some survey techniques for sampling rare subjects.” Statistics & Probability Letters, V. 15, pp. 361-368. 19

See 14.

20 Ensor, Katherine and Thompson, J.R. (2004). “A Statistical Model for Container Inspection.” (in progress). 21 Beh, E. J. (2004). “Simple correspondence analysis: A bibliographic review.” International Statistical Review, (to appear). 22 Benzecri, J. P. (1992). Correspondence Analysis Handbook, Marcel-Dekker, New York. 23 Greenacre, M. J. (1984). Theory and Application of Correspondence Analysis, Academic Press, London. 24 See 20. 25 Smith, William B. and Mitchell J. Muehsam (1997). “Asymmetry and outlier detection using correspondence analysis.” Statistics of Quality, pp 295-308. 26 Wilson, George. “Navy Missile downs Iranian Jetliner on 4th of July”. Washington Post, Monday, July 4th, 1988.

40

27 Michel, Lou and Herbeck, Dan (2002). American Terrorist: Timothy McVeigh & the Tragedy at Oklahoma City. New York: Reagan Books, 560 pages. 28 Strickland, Lee and Willard, Jennifer. “Reengineering the Immigration System: A Case for Data Mining and Information Assurance to Enhance Homeland Security” Journal of Homeland Security. Accessed: July 16, 2004 <http://www.homelandsecurity.org/journal/articles/displayArticle.asp?article=75> 29 Entry of the 9-11 Hijackers into the United States. National Commission on the terrorist attacks upon the United States. Accessed: July 16, 2004 <http://www.9-11commission.gov/hearings/hearing7/staff_statement_1.pdf> 30 See 27. 31 See 27. 32 See 27. 33 Border Security Act of 2002. Senate of the United States. Accessed: July 16, 2004 <http://uscis.gov/graphics/hr5005.pdf> 34 See 27. 35 See 27. 36 Antibodies to Squalene in Recipients of Anthrax Vaccine. Experimental and Molecular Pathology Volume 73, Issue 1 , August 2002, Pages 19-27. Accessed: July 11, 2004 <http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6WFB-468TDD8-3&_coverDate=08%2F31%2F2002&_alid=185538327&_rdoc=1&_fmt=&_orig=search&_qd=1&_cdi=6790&_sort=d&view=c&_acct=C000049490&_version=1&_urlVersion=0&_userid=963248&md5=2c388eb7d2f3a106e3553c4cabf2bf6f> 37 Thompson, James R. (2000). Simulation: A Modeler’s Approach. New York: John Wiley & Sons, 297 pages. 38 Power Reactors. US Nuclear Regulatory Commission. Accessed: June 23, 2004 <http://www.nrc.gov/reactors/power.html> 39 List of Power Reactor Units. US Nuclear Regulatory Commission. Accessed: June 23, 2004 <http://www.nrc.gov/reactors/operating/list-power-reactor-units.html>

40 Monthly Energy Review – May 2004. Energy Information Administration. Accessed: June 23, 2004 <http://www.eia.doe.gov/emeu/mer/pdf/pages/sec8_3.pdf> 41 The Need for Change: The Legacy of TMI. Kemeny Commission. Accessed: July 16, 2004 <http://stellar-one.com/nuclear/report_to_the_president.htm> 42 Explosive Statistics and Information – 2002. US Geological Survey. Accessed: June 24,2004 <http://minerals.er.usgs.gov/minerals/pub/commodity/explosives/explmyb02.pdf 43

Associated Press. “Oklahoma bomb ingredient still unrestricted.” Published by CNN June 11, 2004. Accessed: June 23, 2004 <http://www.cnn.com/2004/US/06/11/fertilizer.bombs.ap/>

41

44 See 43. 45 Texas City Disaster. University of Texas at Austin. Accessed: July 9, 2004 <http://www.tsha.utexas.edu/handbook/online/articles/view/TT/lyt1.html>

46 See 43. 47 See 43. 48 World Almanac Education Group. The World Almanac and Book of Facts 2004. New York: World Almanac Books, 2004. 49 National Needs Assessment for Ensuring Transportation Infrastructure Security. Parsons Brinkerhoff and Science Applications International Coporation. Accessed: July 7, 2004 <http://security.transportation.org/doc/NatlNeedsAssess.pdf> 50 The House of Bin Ladin. The New Yorker, December 11th, 2001. Accessed: July 11, 2004 <http://www.newyorker.com/fact/content/?011112fa_FACT3>

51 Dam Safety 101: The Increasing Hazard. Association of State Dam Safety Officials. Accessed: July 7, 2004 <http://www.damsafety.org/> 52 Glen Canyon Fact Sheet. Bureau of Reclamation. Accessed: July 7, 2004 <http://www.usbr.gov/uc/news/gcdfacts.html>

53 Largest US Reservoirs. USCOLD Register of Dams. Accessed: July 7, 2004 <http://npdp.stanford.edu/damlarge.html>

54 Flower, Stephen (2002). A Hell of a Bomb: How the Bombs of Barnes Wallis Helped Win the Second World War. New York; Arcadia Publishing, 320 pages. 55 Consumer Factsheet on: POLYCHLORINATED BIPHENYLS. US Environmental Protection Agency. Accessed: June 23, 2004 <http://www.epa.gov/safewater/contaminants/dw_contamfs/pcbs.html>

56 Puffer, Brad (2002). “Digital Cash”. Nova Online. http://www.pbs.org/wgbh/nova/moolah/digitalcash.html. Accessed July 12, 2004. 57 T. Harvey. “Electronic Money and the Law -- The Implications.” http://www.smartcard.co.uk/resources/articles/electronicmoney.html. Accessed February, 2004. 58 Rahn, R. W. (1999) “Money: The Ultimate Privatization.” Center for International Privatization. No. 2. http://www.cipe.org/publications/fs/ert/e32/e32_02.htm Accessed July 12, 2004.

59 Kaner, Cem (1997). “The Insecurity of the Digital Signature.” http://www.badsoftware.com/digsig.htm. Accessed July 12, 2004. 60 Nova Online. (2002) “The History of Money.” http://www.pbs.org/wgbh/nova/moolah/history.html. Accessed July 12, 2004. 61 Panurach., P. (1996). “Money in Electronic Commerce: Digital cash, Electronic Fund Transfer and Ecash.” Communications of the ACM, V39 (6).

42

62 Power, Richard, Editorial Director of the Computer Security Institute (CSI)}. “Tangled web: Tales of Digital Crime from the Shadows of Cyberspace.” 63

Adams, J., Chief Executive Office & Co-Founder of iDefense. Quotation.