Stewart Baker's book, Skating on Stilts, is a behind-the-scenes story about how the federal government has tried to strike a delicate balance between security and liberty. This is no dry academic treatise. Baker's prose is by turns artful and provocative. He pulls no punches in his assessment of homeland security, his critics, and of his own role in the events leading up to and following the September 11 attacks. Few people have experienced this period in American history as closely as Baker, and his memoir is thoughtful and often riveting.
-- Shane Harris, author of The Watchers
“Policy meets reality. No post-9/11 official spent more time trying to figure out how to keep America safe, free, and prosperous at the same time than Stewart Baker. His story offers important lessons for battling terrorism in the future.”
-James Jay Carafano, coauthor of Winning the Long War and director of the Heritage Foundation’s Douglas and Sarah Allison Center for Foreign Studies
"Too much commentary about our efforts to prevent another 9/11 is based on prejudice, fear, disinformation and willfull disregard of the threats we face. Stewart Baker has courageously written an open and honest history of our recent efforts -- rare in government memoirs -- that no serious homeland security policymaker can ignore."
- Amb. John Bolton, former U.S. Ambassador to the United Nations
“Stewart Baker makes a cogent, vivid, and persuasive case that we should protect privacy by auditing the government's use of data about individuals and punishing misuse -- but most definitely not by treating such data as private property nor by building walls around it, as we did before 9/11, that bar government-wide cooperation in fighting terrorism. This book will fundamentally change the terms of the technology-privacy debate.”
R. James Woolsey, Director of Central Intelligence 1993-1995
I finally had a chance to read Arizona's new law on illegal immigration. It's rather different from the press portrayal. Maybe I'll blog about that, but I want to start with the astonishingly vituperative attack by Cardinal Roger Mahony on what he calls "Arizona's Dreadful Anti-Immigrant Law." Here's what he said on his blog:
I can't imagine Arizonans now reverting to German Nazi and Russian Communist techniques whereby people are required to turn one another in to the authorities on any suspicion of documentation. Are children supposed to call 911 because one parent does not have proper papers? Are family members and neighbors now supposed to spy on one another, create total distrust across neighborhoods and communities, and report people because of suspicions based upon appearance?Of course we all know the rule that the first debater to compare the other side to the Nazis is losing the debate. And this is a law that even President Obama, who obviously dislikes it, can't say for sure goes beyond the state's constitutional authority. Plus, there's nothing in the bill about children turning in parents or neighbors spying on neighbors.
Why is the Cardinal's criticism so over the top?
Maybe he's just really exercised about the issue. But even so, he can't think that his flaming rhetoric is persuasive. Now, after reading the law, I suspect the Cardinal's interest is a little closer to home.
A part of the law that hasn't been emphasized by the media deals with the fact that Arizona has become the kidnapping capital of the country as coyotes transport and hold captive large numbers of illegal migrants. The law makes it illegal to "transport .. . conceal, harbor or shield an alien from detection in any place in this state, including any building or any means of transportation, if the person knows or recklessly disregards the fact that the alien has come to, has entered or remains in the United States in violation of law." Similarly, the law makes it illegal to "encourage or induce" people to come to Arizona illegally.
That's a pretty reasonable response to the crisis, you might think, which probably explains why it isn't featured in media reports. But imagine that you're the head of the Catholic church in Arizona. Sooner or later, a lot of your parishioners are going to tell their local priest that they're here illegally. The church has been pretty clear about what it will do about that. Nothing. To take one recent example, a bishop in Oklahoma responded to that state's effort to enforce immigration law with defiance:
"I wish to make it absolutely clear that no one will be denied access to our Catholic charitable, pastoral and/or educational programs because they are illegal immigrants. This is to be true for all our parishes, institutions, schools and the various operations of Catholic Charities."The problem with this stance is that it comes awfully close to declaring in advance that the church intends to "harbor or shield from detection" illegal immigrants. So Cardinal Mahony has to ask himself whether his priests are courting liability under the new law if they continue to give shelter and transport to parishioners whom they know or suspect are illegal immigrants. That's a big deal.
Suddenly Cardinal Mahony's outburst about the evils of spying and turning in parents makes a little more sense. The law is going to put his church in a newly awkward position. Complying with Arizona's tough new legal obligations will be hard to square with the bold moral stance taken by the church in a more forgiving era. The prospect of paying a much higher price for what had been a pretty comfortable form of civil disobedience is bound to engender a lot of emotion. And that, I suspect, is the source of the Cardinal's otherwise inexplicable outburst.
The malware arms race continues apace. First, the bad guys hid malware on innocent websites, hoping to infect casual web users. Next, Google and Yahoo rode to the rescue, using their spiders to find infected websites and warn web users away from the malware.
Now the bad guys have made their countermove. They're deploying software on infected sites that watches for the search giants' spiders. When they spot a spider, they serve up bland, malware-free content. The rest of us get the nasty stuff.
You can see what will come next: The search giants will try to make their spiders look like ordinary web surfers -- varying their IP addresses, configurations, and other identifiers to avoid detection by the new, more sophisticated malware.
That's good, but I've got a question. Why can't we take this strategy one step further? Why can't Google and Yahoo release software that lets the rest of us look more like search engine spiders? It seems to me that that would have two good results. First, if my browser looks like an antimalware spider, infected sites won't serve me malware. Second, Google and Yahoo will find it a lot easier to make their spiders look like the rest of us if the rest of us look like their spiders.
In fact, take it even further. I'd happily run a bit of code from the search engines that actually watched for malware and reported it to Google and Yahoo when I encountered infected sites. The bad guys will have a lot more trouble distinguishing between antimalware spiders and ordinary users once the ordinary users actually become spiders.
(Crossposted to Volokh.)
"With penetrating intellect, pragmatic sensibility, and broad counter-terrorism experience, Stewart Baker provides chilling insights into the terrifying threats presented by ever-more-high-tech terrorism, the maddening inadequacy of our defenses, and the lobbies responsible for this inadequacy. He recounts in vivid detail how the same entrenched business interests, bureaucratic turf wars, and anti-American Euro-bureaucrats that helped pave the way for 9/11 have continued to oppose policies that would make us safer. Especially devastating is Baker’s portrayal of the deeply misguided “privacy lobby” who insist on perpetuating security dangers in order to avert highly improbable governmental abuses. This despite the exponentially increasing likelihood of cyber-attacks “that could leave us without power, money, petroleum, or communications for months” and biological attacks 'equivalent to a nuclear detonation.'"
“Skating on Stilts is both a memoir and a guidebook. Baker takes us through the challenges of his days at DHS, and presents a framework for action that will stand the test of time.”
- John Hamre, former Deputy Secretary of Defense and President, Center for Strategic and International Studies
“Stewart Baker was one of the leading thinkers in developing the architecture for Homeland Security and his insights and experience provide a unique perspective on our national security challenges going forward.”
- Michael Chertoff, former Secretary of Homeland Security
“A most unusual memoirist, Baker is a government bureaucrat with a philosopher's bent and a passion to tell you what he didn't achieve. And this tough-minded, candid work is a cautionary tale to those who slough off hard decisions with a dismissive claim that we do not have to make choices between our values and our security. As Baker points out, security is a value and those who pretend otherwise--be they business interests, privacy advocates, or international groups--put Americans at risk. His chilling retelling of the events leading up to 9/11 seem to echo some of the events of the current day, especially as he reminds us that Mohamed el Kahtani, the one 9/11 hijacker that was actually stopped, left this country with the promise "I'll be back." Kahtani, of course, was later captured, but we need no reminder that like-minded terrorists remain to threaten us.”
-General Michael Hayden, director of the Central Intelligence Agency (2006–2009) and director of the National Security Agency (1999–2005)
I've sent early copies of the book to several people I respect. Their reviews have been generous and gratifying, so I'm posting them here.
“Stewart Baker provides a valuable insider narrative about many of the key homeland security policy debates and negotiations of the last decade. He offers urgent and compelling warnings about emerging threats that we face related to cybersecurity and bioterrorism. This book is a useful resource to policy practitioners and interested citizens alike.” - U.S. Senator Joe Lieberman
Despite all the attention, though, there's a surprising lack of certainty about exactly what TSA is doing that's different. After making some assumptions that weren't quite right, I think I now understand and can explain what TSA has done.
First, after the December 25 attack, TSA announced the 14-country rule, which essentially put travelers on the selectee list if they were born in or traveled through one of fourteen countries. It's not clear how new that policy really was, but after December 25, the administration announced it as part of the response package. The attention that the policy got was a two-edged sword. It led to a counter-campaign by rights groups and international reps who argued that the policy was seriously overbroad. It was also self-defeating, since al Qaeda could avoid the policy just by picking a 15th country.
The 14-country approach wasn't a long-term solution. So some time in January or February, with little fanfare, TSA seems to have begun doing something much more significant. It borrowed a page from the Customs and Border Protection playbook, looking at all passengers on a flight, running intelligence checks on all of them, and then telling the airlines to give extra screening to the ones that looked risky.
This is a big deal. The new approach allows us to use all of our intelligence about risky travelers, so we don't have to rely exclusively on static lists, which only include about 5% of the suspected terrorists we have intelligence on.
This system is apparently only in place for international flights, in part because that's where the risk is greatest and in part because it works better there. It works on international flights because everyone on those flights must have a passport. So it is hard for people to use fake ID to defeat identity-based security measures. (For domestic flights, no passport is required, so many travelers will used drivers licenses, and identity standards for licenses are still quite weak, thanks to an unholy alliance of governors and groups that seem to think that privacy is improved by making identity theft cheap and easy.)
This new system is also a sign that the creation of DHS is in fact paying dividends. If we still had three separate cabinet departments doing customs, border immigration, and air security, there is no possibility that TSA would be borrowing from and cooperating with border agencies to use their techniques and perhaps their IT systems to screen passengers.
Finally, this step was taken without any big announcement, probably because no one wanted to reveal the system to our adversaries.
So what happened last week? It looks as though the administration tweaked the system further. Now, when TSA scrutinizes the passenger list, it won't just be looking for known terrorist identities but also for fragmentary identities. So, if we know that a Nigerian is training for an attack and that his first name is Umar, we'll select a lot of Nigerian Umars for screening. This is a good thing, but not in my view as significant as the earlier step.
For some reason, though, last week the administration didn't have a good plan for explaining what it was doing. If I had to guess what happened, I suspect that the White House woke up late to the risk that dropping the 14-country rule could be seen as "weak on terror." So they took what had been a low-key and confidential upgrade in security measures and turned it into a new-security announcement to balance the 14-country announcement. Either that or a leak forced a haphazard early announcement.
One last point: The emerging TSA strategy puts a premium on knowing who's getting on a plane as early as possible, both to do careful analysis and to avoid delays in boarding and screening. So TSA will need access to travel reservation data, not just to the passport information gathered at the airport when people check in. But the European Union has been engaged in a passionate if misguided campaign since 2003 to keep such information out of TSA's hands. Recently, the European Parliament declared that it was rejecting a 2007 agreement on travel reservation data.
Ironically, Europe is probably picking a bigger fight over reservation data with the Obama administration than it the one it had with the Bush administration. For the last administration, using travel reservation data was just one among a dozen or more counterterrorism initiatives, so a European attack on that initiative was just one more fight to preserve a piece of the last administration's strategy. But for this administration, using intelligence to screen passengers is a signature, maybe the signature, counterterrorism initiative.
The European Union doesn't seem to have many friends in this White House as it is. If it tries to undo the centerpiece of the administration's counterterrorism strategy, Brussels's stock will decline further and faster than the European Parliament probably intended.
Today, anyway. Scott Shane's piece on TSA policy marks the first appearance of Skating on Stilts in any mainstream media outlet:
“It’s an experiment, and we’ll have to see how it works,” said Mr. Baker, a Washington lawyer whose book on counterterrorism, “Skating on Stilts,” is scheduled for publication in June.