• United States



by Charles A. Harold

How to Catch a Terrorist Without Hurting Anyone’s Feelings

Mar 01, 200615 mins
CSO and CISOIT Leadership

An argument for computerized probable cause

Pass the Excedrin; I have another “War on Terrorism” headache. This one is about all the fuss over terrorist profiling. Politically correct pundits are crying foul, stating that a terrorist profile is nothing more than a racial or religious profile. Their basic argument: “All Middle Easterners are not terrorists and all Muslims are not Middle Easterners; therefore there is no such thing as a Middle Eastern/Muslim terrorist profile.”

For mental health reasons I usually refrain from consuming any sort of political pabulum, but I have to be intellectually honest and admit that the pundits are correct on this one. Racial or religious profiling will not prevent the Richard Reid shoe bombers of the world or expose the next equivalent to Anakin Skywalker before he becomes a Sith Lord.

Unfortunately, as we argue over whats to be done about terrorism, trying not to hurt anyones feelings in the process, the next 9/11 is being planned. To prevent terrorism, law enforcement needs a new type of politically correct profiling. I have just the thing, a solution that even the ACLU may find acceptable.

Shake hands with a simple, old-fashioned law enforcement solution to catch terrorists: the legal doctrine of probable cause. Probable cause exists when the facts within a police officers knowledge are sufficient to make the average, reasonable, prudent person believe that a suspect has committed, is committing, or is about to commit a crime. Think about that for a minute: A police officer can detain or arrest a person before they commit a crime. Now theres a tool that tool might come in handy in the war on terror.

To articulate the facts and circumstances necessary to make an arrest prior to a crime being committed, police need to connect the dots of evidence. By contrasting a suspects behavior against a background of objective information gleaned from a web of circumstances such as witnesses interviews, physical evidence and contradictory statements, police are able to paint an objective picture of a suspects intentions. In the street-level world of probable cause, bad guys crash and burn at the intersections of logic and common sense when their concocted stories to police about why they have a gun, ski mask and bag of money in the back of their car do not pass the smell test.

Ay, theres the rub: The new bad guys of the worldterroristsare not exactly standing in front of the local quickie-mart with a ski mask and a gun, are they? Trying to find a terrorist can be like trying to find a needle in a worldwide haystack. Law enforcement doesnt stand a chance of finding that needle if it is looking in the wrong haystack.

To prevent terrorism we need to look in the right haystackour untapped computer networks. We need to profile not just people, but more importantly information about people, existing data that already contains the necessary probable cause to automatically connect the dots of suspicious behavior that could lead to terrorist acts.

To accomplish this just and admirable mission, our old-fashioned probable cause needs to be upgraded and retrofitted so it can withstand the slings and arrows of political correctness. Probable cause needs to be computerized, because to a computer, all people, even “terrorists” look like ones and zeros.

Using existing technology, heres an example of how we can use a PC (personal computer) to uncover PC (probable cause) that will allow us to catch the bad guys before they strike, and be PC (politically correct) all at the same time.

Threat Scenario: The Really Big Theme Park

Its a busy holiday weekend at the Really Big Theme Park. Two hours before the park closes, three young men arrive together at the main entrance. They split up so if one of them is caught, the others may get through. They then proceed to various bag inspection points where the guards are searching soccer moms with their diaper bags, strollers and backpacks. There are no metal detectors because theme park management felt they were too expensive, and would slow down the lines. Since the men are not carrying any diaper bags or backpacks, they are cleared to enter the ticketing area. Each man is carrying a 17-round, 9 mm semi-automatic handgun concealed in his waistband.

The three men proceed to separate ticket booths and purchase tickets with cash so their identities cannot be traced. They enter the park and proceed independently to Little Kids Land. There, the men meet up, enter several different rides, and proceed to open fire on children and their parents.

The terrorists then drop their guns, blend in with the panicked crowds running for the exits, and leave the park undetected. Dozens of children are killed or wounded. Families are devastated.

In the aftermath, all amusement parks worldwide are closed indefinitely until a solution can be found. The Really Big Theme Park never recovers financially from the lawsuits and public outrage at the lack of security and is eventually forced to shut down permanently. Other competing amusement parks soon follow due to lack of attendance, and tens of thousands of people in the amusement park industry lose their jobs.

Several months later, the attack is replicated at movie theaters, causing a shutdown of the movie industry and all the ancillary businesses that support it. Southern California unemployment shoots to 20 percent overnight. The bottom falls out of the housing market in Los Angeles because the former studio employees (the largest unemployed group in Southern California) cannot afford their overpriced houses any longer and are forced to sell quickly at reduced prices.

A simple, uncomplicated terrorist plan has accomplished its mission: economic destruction of a major sector of the U.S. economy.

The Wrong Haystack: Fortification

Where was the probable cause in the Really Big Theme Park event? Believe it or not, there were useful pre-event indicators that could have warned us of the suspects intentions prior to implementing their plans. We did have probable cause, but it was hidden inside the existing cash register sales records, contained within a data profile. With the right computer programming, this tragedy could have been prevented.

Unfortunately, most Department of Homeland Security and security experts would respond to this scenario in several possible ways.

“Some security problems require solutions that are cost prohibitive.” “Some solutions would restrict businesses from operating effectively.”

“There are some things that simply cannot be predicted or prevented.”

Here is my favorite. How many times have we heard this? “We have no specific information to indicate attacks are imminent.”

We have all heard these responses many times. Some of us may subscribe to one or more of them ourselves. Are the experts incorrect? Not completely, but it depends on what security paradigm the experts use. Most traditional security models and prevention techniques are based upon ancient defense stratagems that have one main premise: fortification.

9/11 was perhaps the single most sophisticated attack in the history of warfare, yet the government responded to this complex attack with an unsophisticated solution: It told all of us to build bigger forts around our assets. So we all took up a defensive posture and added more guards, more gadgets and more guidelines to our infrastructure.

Increased physical security may have made everyone feel safe for a while, but even the Great Wall of China eventually became obsolete for a very simple reason. Physical security has little to do with preventing terrorism.

We all know that physical security did nothing to prevent the bombing of the U.S.S. Cole. Soldiers in Iraq, armed to the teeth with the best weapons in the world, are no safer because of their armament. Thousands of video cameras did not prevent the London Underground bombings.

Why doesnt fortification work against terrorism? The fundamental reason is that the concepts of information and time are seldom considered or factored into current fortification designs. Instead of fortification models, time and information models using data profiles should be the number-one stratagem when designing any defense or early warning system.

To demonstrate the effectiveness of time and information, think about this: Would it have made a difference on September 11 if the U.S. Air Force had information about the hijackings 15, 10 or even five minutes earlier, giving them more time to scramble their fighter jets?

The Right Haystack: Data Profiles

We are the most information-driven society in history, and that is something that law enforcement and security experts should be exploiting. Information is collected on everything: what TV shows we watch, what we buy with our credit card, who lives next door to us and how much they earn. Every time you go grocery shopping, your “club card” records your purchases, learning a little bit more about your shopping habits each time. (Thats why you receive coupons for scrubbing bubbles or water chestnuts.)

We are both living and drowning in the age of information. There is so much information that we cannot see the forest for the CGI (computer generated image) trees. Therein lies the problem. We are not using simple, relevant information that can truly make us safer and help us anticipate and prevent future terrorist attacks.

So what types of information can we use to build our early-warning systems? Here are a few examples: credit file information, access control records, phone switch records, digital phone recordings, blogs, ID systems, report writing programs, Internet logs, e-mail, calendars, video, delivery logs, SAP, travel and expense reports, time clocks, wireless networks, webcams, bluetooth PANs and my favorite, point of sales data.

Most computer networks already save this type of data in multiple formats, and the list of other useful information sources is almost endless. The credit card industry, for example, already uses information successfully to detect fraud. My brother and I recently took a road trip from Los Angeles to Oregon. As we drove up Interstate 5 and stopped at various gas stations, we switched off paying for gas. On one stop I used my credit card to fill up both our tanks, and at the next stop my brother used his credit card. By the time we got to the Oregon border, a 15-hour trip, the two different credit card companies had shut off both of our credit cards because filling up twice at a gas station and filling up outside your normal geographic area is an “exception” to normal purchasing rules and is an indication of credit card theft.

How to Bring Back Probable Cause

So how can the government and local law enforcement use existing information sources to capture terrorists before they strike?

First, our leaders need to shake hands with a few computers. Most of the people in charge of security “visions” are sorely lacking in computer skills, or worse yet they lack the knowledge to understand what computers are capable of. (Remember the $50 billion FBI paperless office project that did not work?)

Many senior security and law enforcement leaders do not know the difference between an ISP and the PSI in their golf cart tires (more a reflection of their age group than their ability). To bridge this humongous technology gap, law enforcement experts who are very good at arresting people need to hire young computer geeks with database programming capabilities and teach the computer geeks about the effectiveness of probable cause investigations.

Next, law enforcement needs to reach out to local businesses and work hand in hand to capture and harness their various sources of information. Probable cause is hidden everywhere in business information. For example, truck rental records might find the next Oklahoma City bomber, and a supermarket “club card” record could disclose that your neighbor has purchased 200 bottles of bleach in the past month from 10 different markets, behavior indicative of a chemical attack. Taking cues from the old-timer street cops who could spot a bad guy a mile away, the police computer geek can set up computer commands that will analyze this sort of information and build data profiles to establish probable cause.

Once the rules and commands for probable cause and data profiling have been established, information from local business can then be automatically analyzed and pushed to security and law enforcement officials in the field where it can be used in live exercises to formulate real-time threat mitigation plans.

Instead of looking for a traditional bad guy driving down the street with a ski mask, gun and bag of money in his car, law enforcement can search the digital world looking for new types of probable cause based upon statistical probabilities, data matching or consumer purchasing patterns.

Lets look at the Really Big Theme Park scenario again, but this time we will utilize some of the above-mentioned data sources to build a data profile and create new computerized probable cause that will automatically allow us to catch the terrorists before they strike.

The Really Big Theme ParkRevised

Two hours before the park closes, three young men arrive together at the main entrance. They then split up so if one of them is caught, the others may get through. They enter the various bag inspection points but are not searched because they are not carrying any bags. There are still no metal detectors to find their concealed weapons. The men proceed separately to different ticket booths and purchase tickets with cash.

This time the new computerized cash register is equipped with a push-button data profiling menu, much like the cash register at a fast food restaurant. Instead of pushing a cheeseburger button on the cash register, when the three men buy tickets from different windows, the various sales clerks select and push a data profile button recording the sales as “Cash,” “Male Consumer,” “Unaccompanied” (meaning no family or friends are with them).

As the sales are rung up, the system snaps a digital photo of the men from the new webcam system recently installed at all ticket booths and main gate entrances.

As the transactions are winding up, the point-of-sales computer system creates a pre-programmed data profile. It starts by running an algorithm against the historical point of sales database that has been pre-programmed with acceptable data profiles about traditional ticket sales (i.e., 95 percent of park visitors are families with kids, and enter the park between 9 a.m. and 1 p.m.).

Based upon pre-programmed sales rules, the computer calculates that a single “Unaccompanied,” “Male Consumer” buying a ticket with “Cash” two hours before the park closes happens in only .05 percent of all park sales worldwide. The unusually low occurrence of this type of sale is an “exception” to the sales data profile, so the computer generates Warning No. 1. It then prepares a first alert and continues calculating.

As the computer continues, it calculates that three “Unaccompanied,” “Male Consumers” buying tickets with “Cash” during approximately the same time period, at different ticket windows, two hours before the park closes, has never happened in the history of the theme park! A great big “exception” is noted and Warning No. 2 is generated!

The computer then springs into action, creating a private sector version of probable cause based upon the data profile established by the police and their computer geek. Within seconds, the computer sends electronic alerts to the parks security operations group through pagers, cell phones and PDAs. The digital photos of the three men are electronically transmitted to all gates and ride station terminals. The computer system simultaneously notifies local law enforcement with the same information. The terrorism prevention machine is in motion.

Park security quickly locates each suspect and puts them under separate surveillance as they enter the park. As security observes the three young men converging and talking to each other near Little Kids Land, one is spotted lifting his shirt and adjusting something stuck inside his waist band. They are stopped and whisked behind the scenes for questioning. The plot is foiled.

It is later discovered that the three white, non-Muslim men were part of a domestic terrorist hate group. Prior to the attack they looked and acted nothing like the “traditional” profile of terrorists.

So what was different in the revised scenarios?1) Data profiling created time to comprehend that there was a threat.2) Data profiling created time to define the threat properly.

3) Data profiling therefore created time to respond with an effective solution.

Unlike simple fortification models, data profiling can build time and information into our security systems and allow us to switch from traditional law enforcement and security models that are very good at cleaning up after the fact, and build proactive models where prevention and the protection of life is the number-one priority. In short, data profiling can provide us with many more response options.

As society catches up with our technology, public policy will soon demand that we harness the power of our digital information. Laws will eventually be written that will make it negligent for law enforcement and security professionals not to utilize information in a timely manner to prevent people from being harmed.

Pre-9/11, if you went to your company CFO or a government official and told them you needed money and resources to guard against the Really Big Theme Park threat scenario, they would have called the men in white jackets with the big butterfly net and had you quietly escorted off the property with the parting comment, “Youre crazy, that will never happen!”

Today, guarding against seemingly impossible threats is anything but impractical; it is unfortunately quite necessary. In the post-9/11 world, if you can think of a terrorist scenario, someone will eventually implement it. Therefore, society cannot wait until the terrorists are at the gate. We need to act now, move forward and use the power of our computerized information networks to build more effective and timely protection models.

So the next time a government official calls a news conference and says, “We have no specific information to indicate attacks are imminent,” ask them if they had time to check their computer network for some answers.

Data profiling, the computerized, PC version of probable cause, will prevent the next 9/11 and not offend the terrorists in the process.