British adopt stupid threat level model similar to US

(via Scheier’s security blog)

Do you know the current American terrorist threat level? Probably not. And why is that? Because almost since inception, the threat level has been at yellow. Occasionally, it climbs up to orange. threat-level-chart.jpgIn certain parts of the country, it has been at red at times. But never has it been at blue or green – the two lowest levels. And what does that mean? It means since the inception of this idiotic political ploy the current administration has saddled us with, we have been told to be aware of anything out of the ordinary, for there is a significant risk of terrorist attack.

Let me let you in on a little secret – we are no more at risk of terrorist attack now than we were 10 years ago – OK, maybe a little more at risk given our attack on a country on questionable evidence of potential threat, thereby alienating many people who previously didn’t care enough about the US to even think about us, and making the ones who already hated us even more hateful and driven by vengeance – but really, that’s a tiny change, probably not even enough to measure on that little chart on the right. The only difference is the 9/11 attacks showed us that we were at risk, when we thought we were safe and secure in our little bubble of North America. And I don’t call the threat level security model stupid because of who is in the White House – honestly, I believe that had a Democrat been in the White House, we’d still have some stupid model of similar design. It might be something different, but it would still be there. And why do we have it? So politicians can point out the elevated risk in an easy to understand format and use that as justification for taking more of our money to spend it on more stupid “security” measures that won’t actually increase America’s security, and likely will reduce it.

The problem with constantly telling everyone to “be alert” is that we aren’t given any guidance on what we are to watch, how to tell if something is out of the ordinary, what we might expect as a higher risk attack, or anything else that would make an elevated alertness warning have meaning. And we’re Americans. Do you know what that means? We have short attention spans, an unwillingness to change our ways, and a tendency to ignore security and safety procedures when they inconvenience us. Even if the threat level model were any good, it’s been at yellow too long to matter. To make an impact on Americans’ behaviors at this point, it would probably take a red alert – I doubt even an orange alert on a nationwide basis would phase 99+% of the people in this country.

So, why the rant over all this? Well, the British are going to be implementing a similar poorly-conceived alert model. The one difference is, they suffer attacks sufficiently more often than we do that it might make a difference. It won’t, mind you, but potentially it could. If their government is smart enough to maintian a blue or green alert stage equivalent the vast majority of the time, going to yellow or orange equivalent might make a difference in peoples’ behaviors. I just hate to see more money wasted on more “security precautions” that are just well publicized ways for governments to spend money on actions that typically reduce security instead of improving it.

Oh crap, they’ve already screwed upbritish-threat-level-chart.jpg. I just checked the British threat level, and by , the British are at the Orange threat level equivalent they are labelling Severe. By their own definitions of the threat levels, the British intelligence community and government believe an attack is highly likely. That may be true, but we’ll have to watch and see how long the threat level stays that high. Keep it like that most of the time, and it loses it value as an alerting tool.

And just in case you think all this threat level modelling and guidance is just made up (as currently implemented it is, but don’t let anyone know that I let you in on the secret, please), here is how to British intelligence service explains the rationalization used to feed this garbage to the masses (that’s you and me, Joe Citizen!):

How do we decide Threat Levels

In reaching a judgement on the appropriate threat level in any given circumstance several factors need to be taken into account, these include:

Available intelligence: It is rare that specific threat information is available and can be relied upon. More often, judgements about the threat will be based on a wide range of information, which is often fragmentary, including the level and nature of current terrorist activity, comparison with events in other countries and previous attacks. Intelligence is only ever likely to reveal part of the picture.

Terrorist capability: An examination of what is known about the capabilities of the terrorists in question and the method they may use based on previous attacks or from intelligence. This would also analyse the potential scale of the attack.

Terrorist intentions: Using intelligence and publicly available informaton to examine the overall aims of the terrorists and the ways they may achieve them including what sort of targets they would consider attacking.

Timescale: The threat level expresses the likelihood of an attack in the near term. We know from past incidents that some attacks take years to plan, while others are put together more quickly. In the absence of specific intelligence, a judgement will need to be made about how close an attack might be to fruition. Threat levels do not have any set expiry date, but are regularly subject to review in order to ensure that they remain current.

So, if you’ve made it through all this, you probably think – “Damn, Randy’s just bonkers. This is a valuable security tool, and helps us all live safer” then perhaps you should see what someone much smarter and more articulate than I am has to say about it.

Your turn, Bruce:

In theory, the warnings are supposed to cultivate an atmosphere of preparedness. If Americans are vigilant against the terrorist threat, then maybe the terrorists will be caught and their plots foiled. And repeated warnings brace Americans for the aftermath of another attack.
The problem is that the warnings don’t do any of this. Because they are so vague and so frequent, and because they don’t recommend any useful actions that people can take, terror threat warnings don’t prevent terrorist attacks. They might force a terrorist to delay his plan temporarily, or change his target. But in general, professional security experts like me are not particularly impressed by systems that merely force the bad guys to make minor modifications in their tactics.

And the alerts don’t result in a more vigilant America. It’s one thing to issue a hurricane warning, and advise people to board up their windows and remain in the basement. Hurricanes are short-term events, and it’s obvious when the danger is imminent and when it’s over. People can do useful things in response to a hurricane warning; then there is a discrete period when their lives are markedly different, and they feel there was utility in the higher alert mode, even if nothing came of it.

It’s quite another thing to tell people to be on alert, but not to alter their plans?as Americans were instructed last Christmas. A terrorist alert that instills a vague feeling of dread or panic, without giving people anything to do in response, is ineffective. Indeed, it inspires terror itself. Compare people’s reactions to hurricane threats with their reactions to earthquake threats. According to scientists, California is expecting a huge earthquake sometime in the next two hundred years. Even though the magnitude of the disaster will be enormous, people just can’t stay alert for two centuries. The news seems to have generated the same levels of short-term fear and long-term apathy in Californians that the terrorist warnings do. It’s human nature; people simply can’t be vigilant indefinitely.

Wow, it’s like he thinks that this would only work if elevated security alerts are issued infrequently, and have some guidance as to what to look for, expect, or avoid. Sure, it’s stated better than I have said it, but damn if that isn’t the exact same concept I’ve tried sharing. Of course, I’m a peon in the security community, so no one listens to me. Anyway, here’s a bit more from Bruce’s article:

This all implies that if the government is going to issue a threat warning at all, it should provide as many details as possible. But this is a catch-22: Unfortunately, there’s an absolute limit to how much information the government can reveal. The classified nature of the intelligence that goes into these threat alerts precludes the government from giving the public all the information it would need to be meaningfully prepared.

Well sure, but can’t they give us something to work with? Any guidance? I know that if you say too much, you change that which you are observing (kind of like how measuring particles changes their state), but come on, if we have nothing to go on, we Americans will pretty much do nothing. That’s what our nation is, with the exception of the occasional stand-out.

Regardless, this final rip from Bruce Schneier’s older article on the troubles with this system will hopefully make clear exactly what’s wrong with the way the threat level system is run in the US today (and from the looks of things, the British are going to 1-up the US and stay in a higher alert stage, but I could be wrong – I’m not, but I could be):

A terror alert that instills a vague feeling of dread or panic echoes the very tactics of the terrorists. There are essentially two ways to terrorize people. The first is to do something spectacularly horrible, like flying airplanes into skyscrapers and killing thousands of people. The second is to keep people living in fear with the threat of doing something horrible. Decades ago, that was one of the IRA’s major aims. Inadvertently, the DHS is achieving the same thing.

There’s another downside to incessant threat warnings, one that happens when everyone realizes that they have been abused for political purposes. Call it the “Boy Who Cried Wolf” problem. After too many false alarms, the public will become inured to them. Already this has happened. Many Americans ignore terrorist threat warnings; many even ridicule them. The Bush administration lost considerable respect when it was revealed that August’s New York/Washington warning was based on three-year-old information. And the more recent warning that terrorists might target cheap prescription drugs from Canada was assumed universally to be politics-as-usual.

Repeated warnings do more harm than good, by needlessly creating fear and confusion among those who still trust the government, and anesthetizing everyone else to any future alerts that might be important. And every false alarm makes the next terror alert less effective.

Here, why don’t we sum it up this way – Call wolf enough, and no one will pay attention when there really is a wolf.

