Many in the world, myself included, sometimes wonder whether the discipline of homeland security actually coheres into a single area of expertise. After all, a successful homeland security leader in the United States must know something about immigration, border security, international information sharing, emergency response, and counter-terrorism investigations (plus other disciplines unnamed). That seems like almost a potpourri of expertise without any core linkages.
And then comes a day like Paris. Or, even worse, a week that includes Paris, Belgium, Libya, Beirut, Mali and probably several others I have mistakenly neglected. And we learn, again, that even though homeland security, as an area of focus, lacks the same defined boundaries as, say, national security or tax policy, it, nevertheless as has an essence that is, in these terrible times, of unquestioned importance.
As the world reflects, in horror, on the recent tragedy in Paris (in particular) it may be worthwhile to consider what, if anything, we can learn from these events. What lessons might they teach us about national security or homeland security? And how might the attacks in Paris change our policies? In many ways the questions naturally occur. In some ways it is far too soon to draw any lessons – the wounds are still too raw. But for some (including me) the Paris attacks are far too real; far too immanent to be ignored. Herewith then some thoughts:
First, and foremost, the Paris attacks remind us of an uncomfortable truth, one that we, perhaps, are all too eager to disregard: successful terrorist attacks are inevitable. Nothing, nothing at all, can prevent all of them. Counter-terrorism and protecting the homeland are risk management tasks, not risk elimination. The best we can reasonably expect from government is to take all reasonable steps to minimize the risks posed.
But that realization brings with it several very very hard realities. For one thing, it is a message that the American people do not want to hear. When President Obama said something very much like this early in his presidency he was widely condemned. When DHS Secretary Michael Chertoff said much the same thing after the successful attacks in Britain on 7/7 he, too, was pilloried in the press. It is difficult, indeed, to make good policy for a body politic that in its bipartisan wisdom doesn’t want to hear the truth.
The difficulty is compounded by a profound lack of certainty in the data. In most risk assessment there is enough data about the costs and benefits of any particular course of action that a reasonably clear assessment can be made. Car makers can assess safety and insurance companies can value the risk of injury in travel. By contrast in the context of homeland security the relevant values are radically indeterminate. We try to maximize incommensurate of civil liberties and privacy as well as security and safety. We have little experience in assigning value to either and we have no real history of terrorist activity from which to extrapolate. To put it colloquially (as one of my colleagues at DHS used to say), those who are responsible for protecting the homeland will always be doing too much, up until the day after a successful attack when they will be condemned for having done too little. The best they can do is make their best judgments with indeterminate facts – and that means that those who would criticize the French after the fact (or our own government) should bring to the table a healthy dose of humility.
Beyond that relatively high level theoretical lesson, it is reasonable to expect a set of changes in various practical policy applications. Here are the ones where, I predict, we will see the most notable and significant changes:
- The entire European project of free travel is under grave pressure and may soon crumble. If it does that would be very unfortunate. At the core of Europe lie two significant successes: the free flow of goods in a common market and the free flow of travel in an open system known as the Schengen system. That has always been somewhat suspect. It, in effect, made the travel security of each country subject to the success of the least successful state border agency. The European border agency, Frontex, has virtually no real authority – it is a coordinating organization that calls upon member state support for its operations. In a way that is very reminiscent of their recent economic problems (a common currency without a centralized financial system) the Europeans never had a centralized border approach but they had a common travel market. That market came under grave pressure this year with the flood of Syrian refugees. I fear that the apparent ease with which the Paris terrorists entered and left Europe will only increase that pressure. We may, just may, see greater centralization, but my guess is that we will seen the gradual reinstitution of border controls.
- Similarly, we are going to see significant pressure on American travel rules. Today, many Europeans travel to the US without visas in something known as the Visa Waiver Program. My own view is that the VWP actually has greater security benefits than traditional visa interviews – member countries share terrorist and criminal information with the US for data-based background checks. But there are some in the US (led, surprisingly, by Senator Diane Feinstein) who see VWP as a security vulnerability. Expect renewed efforts to tighten the program or eliminate it all together. Expect, as well, demands for other enhanced screening measures on international arrivals.
- We are already seeing the strum and drang about refugees. As one who worked in the refugee admission program, I would counsel caution in overreacting. Admission as a refugee to the United States is a demanding process. Most of the people in the pipeline to come here today entered it even before ISIS existed. If I were trying to sneak into the US, I wouldn’t use the refugee program – I’d travel to Mexico and hire someone to walk me across the border. Nonetheless, as the House vote the other day suggests, there will be at a minimum a tightening of the program’s criteria.
- As others have noted, I think the Paris attacks are likely to transform the information sharing/big data/privacy debate on both sides of the Atlantic. One thing I look for is a very quick resolution of the pending US/EU agreement for law enforcement information sharing. We may even see the Europeans yield somewhat on the Safe Harbor controversy. Whatever else comes of this, I think that for a while at least the privacy-protective arguments in Europe will weaken.
- In particular, it seems to me that Europe is going to be forced to confront the tension between privacy and security more directly. Today, for many reasons, there are significant limits on information sharing across the continent. European law enforcement don’t have access to European border databases. The European Parliament has slow rolled a Commission proposal to track travel of passengers to and from the European Union. The Schengen Information System is limited in what it may collect and share … And so on. At each turn, as a privacy protection, the Europeans have erected significant information flow barriers. We will see if that changes in the next few weeks and months.
- Finally on encryption -- As Wired reported the other day, the encryption question may actually become part of the national Presidential debate. If it does, then it will be impossible to predict how the matter will play out. I stand by the view that, until someone shows me otherwise, encryption back doors will be unwise as a technical matter – but technical requirements are often subsumed within the political debate.