What does Homeland Security mean?

First, we must think of homeland security first as an effort to protect the United States from threats that may originate overseas but have their manifestation here at home. The other aspect of security of course is the international component, which focuses of course on the world outside of the United States. The basic concept of Homeland Security is to protect the homeland in an era in which we have increasing vulnerabilities as the result of the development of a variety of new technologies or ideas about international conflict. Those technologies of course include the diminishing invulnerability of the United States, and the fact that transnational actors—terrorists—obviously can acquire capabilities that are very cheap, and those might include airplanes or low-grade explosives that may nevertheless be put in the form of a radiological dirty bomb to be detonated in the United States.

Why is it that Homeland Security seems to be a relatively new concept?

Historically, the United States from the War of 1812 until World War II didn’t have to be concerned much about homeland security. We were invaded of course during the War of 1812, Washington D.C. was occupied, the White House was burned, the United States was invaded from Canada, but after that, we had a long period of more than a century in which there was no threat to the homeland, so our focus has been based traditionally upon pushing the problem out as far as possible from the frontiers of the United States. This meant fighting wars abroad, not in the United States but in Europe, Asia, the Pacific—like in World War II and of course the battles of the Cold War which were primarily fought outside the territory of the United States. So let us say that in thinking about Homeland Security, we’re thinking about a strategy which is designed to deny access to the USA or to whatever country you’re talking about to those who would do it harm, and homeland security has come to the fore in American strategic thinking as a result of this growing vulnerability.

What are the basic principles of Homeland Security today?

As I think about national security strategy, it has essentially two components—the homeland component and the international component. The homeland component is based primarily upon what I would call a strategy of denial—that is denying access to the United States by terrorist, to the extent that we can, through capabilities that we might have posses, be they in the form of missiles, border control, etc. The quadrennial defense review for homeland security came out in 2014 and it can be summarized into one term, which is denial of access.

The first principle is border security, which means inspecting shipping containers—such as with the Container Security Initiative—and inspecting ships long before they reach the shores of the United States. Then, it means looking at passenger lists in the country of origin before passengers get onboard commercial airliners coming to the US and checking passengers before they board planes; when you come back from Europe to the United States, there will be a check of the passenger manifest by US Border Protection agents before you board the plane. We must then give countries the same reciprocity—they could take the same measures here in the US.

The second principle is facilitating commerce while promoting homeland security, to separate the dangerous from the routine. This is a huge problem because you cannot inspect everything, but what you can do is separate what is the dangerous from the routine. For example, I am going soon to get my Global Entry card renewed, and Global Entry, if you’re willing to submit to an eye scan and fingerprinting and an extra long questionnaire, Customs and Border Protection may give you the opportunity to go to a kiosk instead of the immigration line coming into the United States. I am then sorted out of the category for potential danger. That is an example of separating one category from another.

The third principle that I think about for homeland security is the need to achieve unprecedented levels of cooperation based on bringing together capabilities that were previously considered separate. I had the opportunity just after 9/11 to help to draft the Massachusetts Homeland Security Plan which was a very interesting effort because it brought us into contact with a whole range of communities that had previously not been in contact with each other very much. For example, after 9/11, we had to think not only about terrorism from the kind of hijacked aircraft that we faced but also the anthrax problem that we faced in various parts of the country. So, people were thinking about how you could bring together the infectious diseases component with law enforcement and emergency services and all the other communities involved in homeland security.

The fourth principle, which I find critical, links homeland security to the broader picture, is reconciling the requirements for security and the essential values for personal liberty. Where we draw this line is of course a huge problem, which we see consistently. We see it now most recently in the mining of metadata, or big data as some people call it, from the general population. We also see the ability to encrypt which is increasingly possible with technological advances, raising questions such as when should encryption be allowed or not, and the idea of an inherent right to privacy. Does public safety trump the individual’s liberty? It seems to me that these questions will never resolved in an open society. We see the US Patriot Act that has been very controversial in recent years as well as the efforts in the very recent weeks and months in regards to metadata and encryption.

What are some of the largest threats facing the United States today?

There are several security threats that the United States faces right now. One, of course, is ISIS, and the other is the growing problem of Russia that I believe will loom larger in the years ahead. In my view, Russia is in its final analysis a declining power, but in the next several years, it continues to pose a series of dangers for the United States. These dangers are not comparable to the Cold War, but are nevertheless very strong. As it has been for quite a while, I think that the principle danger to the United States will lie in the years to come in the field of nuclear weapons. There is a threat from a modernized Russian nuclear capability, but more immediately also from the possibility of terrorists getting their hands on nuclear capabilities. The second area of concern that cuts across this is cyber warfare. One of the key areas for Homeland Security now is going to be protecting against cyber attacks. Russia and China have already been known to use cyber attacks. The danger that we face is from nuclear and cyber capabilities in the hands of state and non-state actors. ISIS comes between two, as it started as a non-state armed group, and has declared itself to be morphing into a self-declared caliphate state.

For the latter half of the 20th century, national defense policy was very much centered on nuclear deterrence. Are there signs of this changing in the 21st century?

I think that the issues of deterrence for the 21st century are far more complex than they were during the cold war. We have to not only deter a nuclear-armed Russia (which some say may be resurgent) and China, both with nuclear capabilities that could hit the United States, but perhaps in the future North Korea and even perhaps Iran. The issue is that deterrence in the nuclear arena will become far more complex. In the Cold War, it was bipolar—the Soviet Union and the United States. Now, there may be situations, for example, in the Korean Peninsula where China backs North Korea. North Korea is armed with a few nuclear weapons that could strike Japan and maybe the United States, and then China of course is nuclear-armed. We then have for the first time a situation in the United States in which two or more of the adversaries that we could face in a coalition state-to-state conflict would be nuclear powers, and we would have to deter escalation to that level. This is a field where I am working right now. That is an unprecedented situation that we never had during the Cold War where we were thinking primarily of Russia. By the time China had developed nuclear weapons, it was in its fundamental split with the Soviet Union, and the United States went as far as to urge the Soviets in 1969 not to attack the Chinese nuclear capability that was being developed. We saw China as an emerging counter-balance to the Soviet Union, and you’ll of course remember the famous Nixon-Kissinger diplomacy of that era.

Furthermore, we may have a nuclear world in which the incentive is not to use nuclear weapons as a last resort, but rather as a first resort. This is where the non-state armed group comes into play, and nuclear weapons become the basis for carrying out terrorist operations. I see nuclear devices, both dirty bombs and missiles, not as the ultimate step in escalation as did Herman Kahn in his escalation ladder in the 1960’s, but potentially as something that could come early in a future crisis. I am told that Pakistani nuclear weapons are now under good lock and key, but I do not know that for a fact. I am not positive that Al-Qaida or ISIS could not somehow get their hands on Pakistani nuclear weapons. The opportunities are far more extensive today for these types of capabilities getting into a variety of hands

How does cyber warfare play into this?

Similarly, cyber warfare can be used the first step in escalation. Russia attacked Estonia in 2007 with only cyber weapons. Estonia is very vulnerable to cyber attacks because Estonia has a highly advanced economy, and it is far more connected to the internet than Russia, at least as much as the United States, maybe more, showing the asymmetry of vulnerability that exists. We can think of cyber as a capability that might be launched on its own without being part of any other escalation, but cyber attacks can also be the prelude to a kinetic attack, as it was in the case of Russia against Georgia in 2008. Russia attacked Georgia, a breakaway republic from the USSR, during a simmering territorial dispute. In this case, Russia used a cyber attack against Georgian infrastructure before launching an invasion. You could think of cyber as being part of an escalation strategy with regard to China against the outside world. If China were confronted in the South China Sea or the Taiwan Straight, it would want to disable the command and control capabilities of its adversaries and then escalate to a kinetic attack—meaning missiles, etc.—or perhaps even do it without escalation. Since cyber capabilities are accessible to all actors, we have a much more level playing field then we ever did before, and cyber warfare is a case-in-point.

It is true that, if you fight with strategic warfare, which is to make it difficult if not impossible for the enemy to resist because you disabled his strategic capabilities –such as in World War II with the bombing of strategic and civilian infrastructure—now there is a far greater range of capabilities that can be brought to bear, including cyber warfare. When you think about the vulnerabilities of our society to cyber attacks, think about the electric power grid, transportation systems, food distribution, banking, and so on. It would be an interesting assessment to look at all of our potential vulnerabilities and see where we have plugged the gaps and where do we have new issues.

Looking at these two major threats for the 21st century that you described that are cyber and nuclear, have we seen a response from the United States and other nations, or has there been a lag in responding?

There’s a response, but the issue is that the response has not kept up with the threat. As you may know, the United States has created in the Department of Homeland Security and in the US Government more broadly a whole set of cyber efforts; there’s a cyber strategy clearly on display on the website of the DOHS. Since the attack by Russia on Estonia in 2007, NATO has had an ongoing discussion of what should be done. When, and to what extent does a cyber attack reach the threshold of Article Five—“an attack upon one is an attack upon all”? NATO has discussed this and come up with a cyber declaration that basically says that it is an issue that will be dealt with on a case-by-case basis, which is not very assuring. There is no common cyber strategy at the international level, and the vulnerabilities of the United States are extensive for both cyber warfare and cyber crime. In cyber crime, people hack into personal databases in order to exfiltrate information that they may want to use, such as your social security number, whereas in cyber warfare, the goal is to disable these systems. In the United States you can look at the corporation level and the US government in both the military and civilian sectors to see these huge vulnerabilities. There’s a good deal of offensive strategizing as to what type of response does a cyber attack merit. The cyber domain is both a virtual domain and a physical domain, so is a response in kind appropriate or is a cyber attack to be retaliated against with a kinetic attack?

Within the efforts of the Department of Homeland Security, we’ve also been developing an effort to defend against since attacks. Once again, we see the theme of denial and punishment. We would like to safeguard US domestic cyber infrastructure, and at the same time we would like to be able to punish those who would launch such attacks against us. For the cyber domain there is a paradigm that includes both denial and punishment, but also a third leg: building international norms. Obviously defending against this isn’t all hardcore military; you want to be able to get together as many as the people, groups, and countries that have a shared interest as you can to establish international norms in the form of international standards and legal regulation for the cyber domain just as you would against crime or warfare. There’s a great deal of work being done to develop normative standards and codes of conduct.

What changed to bring about these new threats?

As you think about this 21st century security setting within which all these events are taking place, we also have a situation of growing urbanization of societies around the world. I like to think about the growth of what Robert Kaplan calls “megacities” with populations in excess of 10 million people, which are cropping up all around the world. They can be found in South America, such as in Săo Paulo and Rio de Janeiro, as well as in West Africa, the Indian subcontinent, and other parts of the world. If you think of these trends that are shaping the world of the future, urbanization is one that brings with it a high level of alienation from rural societies as people migrate into the cities. This forms a ready-made basis for radicalization and for latching on to extremist ideologies, be they Islamic or others. Then you add to this that most the people that migrate into these cities are likely to be younger people. Going back to a previous theme, these people are increasingly empowered and interconnected with each other. These connections do not even necessarily have to do with literacy; you don’t have to be able to read to watch television or to talk on a cellphone. By these simple instruments, people who historically were never able to get in contact with each other are now able to do so. This applies to societies with very low levels of literacy such as Afghanistan. In my experience, If most people can’t read, and you can’t instruct them if you want to teach them military skills such as by giving them a manual. However they can certainly still use cellphones. I think we fall short in all of our mission areas to respond, and I don’t think we will ever eliminate them. We are looking now at mitigation and not elimination.