15 Years After 9/11

Fifteen years ago this September 11, 19 terrorists, using four jetliners as guided missiles, killed 2,977 people and enveloped the USA in fear.

It was the first sustained attack on American soil since the bombing of Pearl Harbor, which was a far-off military base. This massacre hit the center of our government and blasted away part of our most iconic skyline. It left a stench that New Yorkers could smell weeks later as remains continued to be recovered from the ashes.

Suddenly, we were vulnerable. Not just to disease, tornadoes, accidents, or criminals, but to the kinds of enemies that had always threatened others but never us.

Barack Obama remembers that after the second plane hit, he left the Chicago building that housed his State-Senate office. “I stood in the street and looked up at the Sears Tower, fearing it might be a target, too,” he told me in a recent email exchange, adding, “I remember rocking Sasha to sleep that night, wondering what kind of world our daughters were going to grow up in.” He continued, “With nearly 3,000 people killed in the places where we lived our daily lives, there was a feeling that our homeland was truly vulnerable for the first time.”

This is the story of the first 15 years of how we have dealt with that newfound fear—how we have confronted, sometimes heroically and sometimes irrationally, the mechanics, the politics, and the psychic challenges of the September 12 era.

Have we succeeded in toughening up what overnight became known as “homeland security”? Absolutely. But not without a series of extravagant boondoggles along the way.

Are we safer? Yes, we’re safer from the kind of orchestrated attack that shocked us on that September morning. It’s harder for terrorists to get into the country, and harder for them to pull off something spectacular if they do. But we have not plugged some of the most threatening security gaps. Worse, as the Orlando massacre reminded us, the world has become more populated by those who want to exploit those gaps, including those living among us—and who, in the United States, can easily obtain military-grade weapons. They are not deterred by the prospect of their own death, and they are happy to commit acts less ambitious than those of 9/11. That makes their attacks much harder to detect in advance. Our defenses are far stronger, but what we have to defend against has outpaced our progress.

Have we adjusted, politically and emotionally, so that we can make rational decisions as a government and as a people to deal with the ongoing threat? Not yet. In a bitterly divided democracy, where attention spans are short and civic engagement is low and the potential for oversimplification and governing-by-headlines is high, that is hardly a surprise.

But in those first hours after the planes hit their targets, we did answer the call—which required an almost complete turnaround of America’s mind-set and produced just as stunning a turnaround in our security posture.

PART ONE: The Good News

On September 10, 2001, then–Attorney General John Ashcroft rejected an FBI request to increase anti-terrorism personnel for the coming fiscal year beyond a fraction of the bureau’s overall staff. The next morning, Ashcroft headed to Milwaukee to read to schoolchildren while his boss, President George W. Bush, was doing the same at an elementary school in Sarasota, Florida.

Also on September 10, FBI officials declared at a congressional briefing that the most imminent domestic terrorism threat was from animal-rights activists. Fifteen years later, the Justice Department has a national-security division, set up in 2006, that has consolidated and fortified all the department’s counterespionage and counterterrorism litigation and related legal-policy decisions. The overall FBI budget has nearly tripled since 2001, and its mission of investigating and prosecuting federal crimes that have already happened has been expanded to stopping terrorists before they strike. Most of the new resources—for intelligence analysts, technology upgrades, and additional agents—have been directed at prevention. “About half” of all agents are now assigned to national security, FBI Director James Comey told me, up from “maybe a quarter before the attacks.”

Connecting the Dots

On September 10, 2001, the Federal Aviation Administration, which was responsible for air-travel security, had a watch list of 12 people, even though the FBI and the CIA had identified hundreds more in their databases. A proposal to expand the FAA list to include those additional names had been sitting for months in the inbox of an FAA security official. In reporting for a book about the nation’s recovery efforts in the first year after 9/11, After: How America Confronted the September 12 Era (2003), I discovered that two of the hijackers had been on that expanded list. Distribution of their names to the airlines had been delayed because the FBI and the FAA had not resolved which organization’s letterhead should be attached to the memo bearing the new list.

On the day the World Trade Center fell and the Pentagon was left smoldering, the CIA knew that two suspected terrorists whom it was tracking around the world—and who ended up on the 9/11 planes—had come to the U.S. months earlier. But the agency never told the FBI. When this came to light, the September 12–era phrase failure to connect the dots was born.

Today, all US security agencies share the same watch lists and threat databases, which are constantly updated. They share intelligence tips with one another (though sometimes still grudgingly), and federal officials even sit on task forces with their local counterparts. With some lingering exceptions, we do connect the dots.

Safety in the Air

On September 11, the airlines themselves were responsible for airport-security lines. They employed 16,000 poorly trained, low-wage private screeners, who operated under guidelines, approved by the FAA, that allowed the kind of box cutters and knives (up to four inches long) that the hijackers used. The airlines had lobbied the FAA for these and other accommodations to keep costs down and the security lines moving.

Today, there are 46,000 screeners, almost all federal employees, trained by the Transportation Security Administration. Although management failures have produced security gaps in fast-moving lines, followed by—especially this spring and summer—long wait times resulting from efforts to plug those gaps, the screening process is undeniably tighter than it was on the morning of September 11. And cockpit doors have been fortified to block anyone who slips past the screeners, making a repeat of the 9/11 plot to commandeer planes and turn them into missiles hard to imagine.

In the 1970s, hundreds of federal air marshals—undercover cops in the air—were deployed on American planes to thwart hijackings to Cuba. By 2001, the number of marshals had been reduced to 33—negligible coverage for the more than 20,000 flights leaving 440 airports in America every day. Within a month of 9/11, an emergency program had recruited 600 new marshals, and by 2005 approximately 5,000 were on planes. (The actual number is classified.)

Securing the Ports

When Kevin McCabe, the chief inspector of the U.S. Customs contraband team at the giant Elizabeth, New Jersey, freight port, looked across the water at the World Trade Center in Lower Manhattan and saw the second plane hit, he knew his country was under assault.

McCabe stared out his office window at the pier below, loaded with more than 7,000 cargo containers that had arrived from all over the world, and began what was probably America’s first exercise in post-9/11 profiling. He directed his 70 inspectors to move every container that had arrived from the Middle East or North Africa—about 600 of them—to a far-off section of the pier. They then began the days-long process of X‑raying and, if anything seemed untoward, hand-searching all 600.

The X-rays and searches, however, had always been geared to looking for smuggled drugs. The inspectors were great at finding cocaine hidden in limes from Ecuador. But they had little training in looking for bombs—and little equipment for detecting material that could be used for a radiation-laced “dirty bomb.”

Fifteen years later, every American port screens cargo using billions of dollars’ worth of technology, including radiation detectors. Containers that register high on a threat matrix (based on information sent in advance about the content and its shippers) are singled out for additional screening; many containers are screened in foreign ports by U.S. Customs inspectors before they set sail.

The system is far from airtight. But the port inspectors have come a long way from McCabe’s panicked game of musical containers.

Cyber terror

The other hot new threat is cyberterrorism. Because 87 percent of the country’s critical infrastructure is owned by the private sector—power plants, financial institutions, water companies—much of the Department of Homeland Security’s lower-profile work involves sharing information and convening forums and sponsoring drills aimed at helping industries help themselves.

Meantime, the government’s efforts to protect its own digital infrastructure have provided steady fodder for cynics. To take the latest examples, neither a data-hosting service at the Department of the Interior—whose technology setup was declared by federal officials to be a “Center of Excellence”—nor the Office of Personnel Management detected the hacking in 2014 and 2015 of 25 million records kept by the OPM. A $1 billion cybersecurity program designed by DHS, called “Einstein,” was, according to the GAO, so ineffective that it missed the hacking of the OPM records. In fact, most government agencies initially defied a presidential directive and refused to even install the much-derided Einstein.

It’s a bad sign when a program called Einstein turns into a clown show, and it’s tempting to make that a metaphor for the government’s cybersecurity efforts more generally. However, since taking over DHS’s cybersecurity and communications unit three years ago, Phyllis Schneck, a highly regarded cybersecurity engineer who came from the private sector, seems to have put the agency on a better track.

She has worked to professionalize the National Cybersecurity and Communications Integration Center, which, although it has produced yet another mind-numbing acronym (NCCIC), has the potential to be effective, according to one Silicon Valley star programmer who has advised the Obama White House on cyber issues. “With counterterrorism, I have an expectation, and it’s met every day, that I will get a full report on threats across the spectrum, because we put in place structures … to ensure information-sharing across the intelligence community, as well as with state and local law enforcement,” says Lisa Monaco, President Obama’s White House homeland-security and counterterrorism adviser. “With cyber, we’re not there yet, but we’re getting there.”

Hidden on four floors in a nondescript office building in Virginia (it’s not listed in the lobby directory), Schneck’s operation includes a heavily guarded floor with space for 150 cyber detectives, many recruited from the private sector.

Some sit at screens looking for trouble as they monitor the innards of dozens of federal agencies (except the Defense Department, which has its own cybersecurity apparatus). For example, a dramatic upsurge in traffic at the IRS during tax time, in mid-April, would mean nothing, but the same spike on Commerce Department servers could spell trouble.

Others monitor web traffic around the world, looking for similar regional or countrywide anomalies that could indicate attempted sabotage.

Schneck, whose father was a computer scientist at the National Security Agency, describes one approach she is applying as “biological.” The Continuous Diagnostics and Mitigation program, for which $275 million has been budgeted for the coming fiscal year, will reject a virus that makes it onto a government network “in real time, even if we don’t know what it is,” Schneck says.

Using data-analytics tools from the private sector, she is also augmenting Einstein (which has been allocated $460 million in this year’s budget and $471 million for next year) with software that will prevent such intrusions in the first place by implementing what she calls “a cyber no-fly list.” There are now ways of using data, she explains, to target the address of a machine that has been the source of other hacks, and to keep it from accessing the emails or websites of the agencies she is protecting.
.
That this is still a debate in an election season 15 years after the 9/11 attacks is evidence that although we’ve made progress, we’re still a long way from adjusting—politically and psychically—to this new normal, where, unlike during the Cold War, there is no relying on deterrence for protection.

DefenseOne: http://bit.ly/2bdnNdp

 

« Cyber Spy Group Uncovered After Years Of Attacks
Keyless Entry Renders Millions Of Cars Vulnerable »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

PFP Cybersecurity

PFP Cybersecurity

PFP provides a SaaS solution for life-cycle protection based on our IoT security platform and power usage analytics.

Global Learning Systems (GLS)

Global Learning Systems (GLS)

Global Learning Systems provides security awareness and compliance training programs for employees that effectively promote behavior change and protect your organization.

Digital Hands

Digital Hands

Digital Hands is an award-winning managed security services provider.

LiveVault

LiveVault

LiveVault delivers fully automated, turnkey, backup over the Internet or a private network connection for uninterrupted remote data protection.

CodeSealer

CodeSealer

CodeSealer provide invisible end-to-end user interface protection with a unique web security solution to eliminate Man-in-the-Middle and Man-in-the-Browser vulnerabilties.

PSW Group

PSW Group

PSW Group is a full-service Internet solutions provider with a special focus on Internet security.

ENAC

ENAC

ENAC is the national accreditation body for Spain. The directory of members provides details of organisations offering certification services for ISO 27001.

Rule4

Rule4

Rule4 is a global professional services firm that provides practical, real-world knowledge and solutions in areas including cybersecurity, AI, Machine Learning and industrial control systems.

Monster Jobs

Monster Jobs

Monster is a global leader in connecting people to jobs, wherever they are. Monster covers all job sectors including cybersecurity in locations around the world.

BLUECYFORCE

BLUECYFORCE

BLUECYFORCE is the leading professional training and cyber defense training organization in France.

BigPanda

BigPanda

BigPanda is the first provider of Autonomous Operations solutions that empower IT Operations at large, complex enterprises.

Penten

Penten

Penten is an Australian-based cyber security company focused on innovation in secure mobility and applied AI (artificial intelligence).

Mosaic Insurance

Mosaic Insurance

Mosaic is a next-generation global specialty insurer distinguished by an exceptional team, agile technology, and a structure that combines Lloyd’s of London strength with a global distribution network

OSI Security

OSI Security

OSI Security's primary services include penetration testing, security auditing, web application security testing and risk management.

StrataCore

StrataCore

StrataCore is a single-source technology lifecycle advocate that works behind IT teams as a strategic partner to help them achieve peak enterprise outcomes.

CyberXposure

CyberXposure

CyberXposure has been built by a team comprising of Cyber Security Professionals and SAAS experts in data backup, disaster recovery and cyber-security.