Connect with us

Intelligence

How security decisions go wrong?

Sajad Abedi

Published

on

Photo by Ryan Young on Unsplash

Information warfare is primarily a construct of a ‘war mindset’. However, the development of information operations from it has meant that the concepts have been transferred from military to civilian affairs. The contemporary involvement between the media, the military, and the media in the contemporary world of the ‘War on Terrorism’ has meant the distinction between war and peace is difficult to make. However, below the application of deception in the military context is described but it must be added that the dividing line is blurred.

The correct control of security often depends on decisions under uncertainty. Using quantified information about risk, one may hope to achieve more precise control by making better decisions.

Security is both a normative and descriptive problem. We would like to normatively how to make correct decisions about security, but also descriptively understand follow where security decisions may go wrong. According to Schneider, security risk is both a subjective feeling and an objective reality, and sometimes those two views are different so that we fail acting correctly. Assuming that people act on perceived rather than actual risks, we will sometimes do things we should avoid, and sometimes fail to act like we should. In security, people may both feel secure when they are not, and feel insecure when they are actually secure. With the recent attempts in security that aim to quantifying security properties, also known as security metrics, I am interested in how to achieve correct metrics that can help a decision-maker control security. But would successful quantification be the end of the story?

The aim of this note is to explore the potential difference between correct and actual security decisions when people are supposed to decide and act based on quantified information about risky options. If there is a gap between correct and actual decisions, how can we begin to model and characterize it? How large is it, and where can someone maybe exploit it? What can be done to fix and close it? As a specific example, this note considers the impact of using risk as security metric for decision-making in security. The motivation to use risk is two-fold. First, risk is a well-established concept that has been applied in numerous ways to understand information security and often assumed as a good metric. Second, I believe that it is currently the only well-developed reasonable candidate that aims to involve two necessary aspects when it comes to the control of operational security: asset value and threat uncertainty. Good information security is often seen as risk management, which will depend on methods to assess those risks correctly. However, this work examines potential threats and shortcomings concerning the usability of correctly quantified risk for security decisions.

I consider a system that a decision-maker needs to protect in an environment with uncertain threats. Furthermore, I also assume that the decision-maker wants to maximize some kind of security utility (the utility of security controls available) when making decisions regarding to different security controls. These different parts of the model vary greatly between different scenarios and little can be done to model detailed security decisions in general. Still, we think that this is an appropriate framework to understand the need of security metrics. One way, maybe often the standard way, to view security as a decision problem is that threats arise in the system and environment, and that the decision-maker needs to take care of those threats with available information, using some appropriate cost-benefit tradeoff. However, this common view overlooks threats with faults that are made by the decision-maker. I believe that many security failures should be seen in the light of limits (or potential faults) of the decision-maker when she, with best intentions, attempts to achieve security goals (maximizing security utility) by deciding between different security options.

I loosely think of correct decisions as maximization of utility, in a way to be specified later.

Information security is increasingly seen as not only fulfillment of Confidentiality, Integrity and Availability, but as protecting against a number of threats having by doing correct economic tradeoffs. A growing research into the economics of information security during the last decade aims to understand security problems in terms of economic factors and incentives among agents making decisions about security, typically assumed to aim at maximizing their utility. Such analysis is made by treating economic factors as equally important in explaining security problems as properties inherent in the systems that are to be protected. It is thus natural to view the control of security as a sequence of decisions that have to be made as new information appears about an uncertain threat environment. Seen in the light of this and that obtaining security information usually in it is cost, I think that any usage of security metrics must be related to allowing more rational decisions with respect to security. It is in this way I consider security metrics and decisions in the following.

The basic way to understand any decision-making situation is to consider which kind of information the decision-maker will have available to form the basis of judgments. For people, both the available information, but also potentially the way in which it is framed (presented), may affect how well decisions will be made to ensure goals. One of the common requirements on security metrics is that they should be able to guide decisions and actions to reach security goals. However, it is an open question how to make a security metric usable and ensuring such usage will be correct (with respect to achieving goals) comes with challenges. The idea to use quantified risk as a metric for decisions can be split up into two steps. First do objective risk analysis using both assessment of system vulnerabilities and available threats in order to measure security risk. Second, present these results in a usable way so that the decision-maker can make correct and rational decisions.

While both of these steps present considerable challenges to using good security metrics, I consider why decisions using quantified security risk as a metric may go wrong in the second step. Lacking information about security properties of a system clearly limits the security decisions, but I fear that introducing metrics do not necessarily improve them;this may be due to 1) that information is incorrect or imprecise, or 2) that usage will be incorrect. This work takes the second view and we argue that even with perfect risk assessment, it may not be obvious that security decisions will always improve. I am thus seeking properties in risky decision problems that actually predict the overall goal – maximizing utility – to be, or not to be, fulfilled. More specifically, we need to find properties in quantifications that may put decision-making at risk of going wrong.

The way to understand where security decisions go wrong is by using how people are predicted to act on perceived rather than actual risk. I thus need to use both normative and descriptive models of decision-making under risk. For normative decisions, I use the well-established economic principle of maximizing expected utility. But for the descriptive part, I note that decision faults on risky decisions not only happen in various situations, but have remarkably been shown to happen systematically describe by models from behavioral economics.

I have considered when quantified risk is being used by people making security decisions. An exploration of the parameter space in two simple problems showed that results from behavioral economics may have impact on the usability of quantitative risk methods. The results visualized do not lend themselves to easy and intuitive explanations, but I view my results as a first systematic step towards understanding security problems with quantitative information.

There have been many proposals to quantify risk for information security, mostly in order to allow better security decisions. But a blind belief in quantification itself seems unwise, even if it is made correctly. Behavioral economics shows systematic deviations of weighting when people act on explicit risk. This is likely to threaten security and its goals as security is increasingly seen as the management of economical trade-offs. I think that these findings can be used partially to predict or understand wrong security decisions depending on risk information. Furthermore, this motivates the study how strategic agents may manipulate, or attack, the perception of a risky decision.

Even though any descriptive model of human decision-making is approximate at best, I still believe this work gives a well-articulated argument regarding threats with using explicit risk as security metric. My approach may also be understood in terms of standard system specification and threat models: economic rationality in this case is the specification, and the threat depends on bias for risk information. I also studied a way of correcting the problem with reframing for two simple security decision scenarios, but only got partial predictive support for fixing problems this way. Furthermore, I have not found such numerical examinations in behavioral economics to date.

Further work on this topic needs to empirically confirm or reject these predictions and study to which degree they occur (even though previous work clearly makes the hypothesis clearly plausible at least to some degree) in a security context. Furthermore, I think that similar issues may also arise with several forms of quantified information for security decisions.

These questions may also be extended to consider several self-interested parties. in game-theoretical situations. Another topic is using different utility functions, and where it may be normative to be economically risk-aversive rather than risk-neutral. With respect to the problems outlined, rational decision-making is a natural way to understand and motivate the control of security and requirements on security metrics. But when selecting the format of information, a problem is also partially about usability. Usability faults often turn into security problems, which is also likely for quantified risk. In the end the challenge is to provide users with usable security information, and even more broadly investigate what kind of support is required for decisions. This is clearly a topic for further research since introducing quantified risk is not without problems. Using knowledge from economics and psychology seems necessary to understand the correct control of security.

I’m SajadAbedi a Resident Research Fellow at the National Security and Defense Think Tank. I obtained my Ph. D. degree in National Security from the Nationl Defense University under group of leader of Islamic Republic of Iran. My research interests pertain to Arab-Israeli studies, the Cyber Security studies and National Security.

Intelligence

Dodging UN and US designations: Hafez Saeed maintains utility for Pakistan and China

Dr. James M. Dorsey

Published

on

A recent upsurge in insurgent activity in Kashmir likely explains Pakistani and Chinese reluctance to crackdown on internationally designated militant Hafez Saeed and the network of groups that he heads.

So does the fact that Mr. Saeed and Lashkar-e-Taiba, an outlawed, India-focused ultra-conservative Sunni Muslim group widely seen as one of South Asia’s deadliest, have assisted Pakistani intelligence and the military in countering militants like Tehrik-i-Taliban Pakistan, the Pakistani Taliban, that have turned against Pakistan itself.

Lashkar-e-Taiba has also been useful in opposing nationalist insurgents in Balochistan, a key node in China’s Belt and Road initiative. The China Pakistan Economic Corridor (CPEC), a $50 billion plus China investment in Pakistani infrastructure and energy, is the initiative’s single largest cost post with the Baloch port of Gwadar as its crown jewel.

The United States has put a $10 million bounty on the head of Mr. Saeed, who is believed to lead  Lashkar-e-Taiba (LeT) as well as Jamaat-ud-Dawa, an alleged LeT front, and is suspected of being the mastermind of the 2008 Mumbai attacks in which 166 people were killed.

Lashkar-e-Taiba is “not only useful, but also reliable. (Its)…objectives may not perfectly align with the security establishment’s objectives, but they certainly overlap,” says international security scholar Stephen Tankel.

The links between Lashkar-e-Taiba and the Pakistani security establishment are reflected in the fact that the group has recruited in some of the same areas as the military and that some former military officers have joined the group.

The relationship is reinforced by a fear in parts of Pakistan’s security establishment that the group’s popularity, rooted partly in social services provided by its charity arm, would enable it to wage a violent campaign against the state if the military and intelligence were to cut it loose.

So far, Pakistan with tacit Chinese backing appear to see mileage in the group’s existence as a pinprick in India’s side even if creating the perception of greater distance to the security establishment has become a more urgent necessity because of international pressure.

One way of doing so, is the apparent backing of Pakistani intelligence and the military of Mr. Saeed’s efforts to enter the political mainstream by securing registration of a political party in advance of elections expected in July. Pakistan’s election commission has so far held back on the application.

Speaking to the Indian Express, Major General Asif Ghafoor, a spokesman for Pakistan’s intelligence service, Inter-Services Intelligence, said that “anything (Mr. Saeed) does, other than violence, is good. There is a process in Pakistan for anyone to participate in politics. The Election Commission of Pakistan (ECP) has its rules and laws. If he (Mr. Saeed) fulfils all those requirements that is for the ECP to decide.”

Indian officials are not so sure. In a world in which demarcations between various militant groups are blurred, Indian intelligence expects a spike in attack in Kashmir this summer as a result of Lashkar-e-Taiba operatives joining groups like Jaish-e-Mohammed (JeM) and the Hizbul Mujahideen (HM).

Twenty-two security personnel and six civilians were either killed or injured in seven attacks in Kashmir in the first five weeks of this year. India said Lashkar-e-Taiba was responsible for an attack in March on soldiers and policemen in which three Army personnel, two policemen, and five militants were killed. Another 20 were killed in clashes in April between Lashkar-e-Taiba and security forces.

Lashkar-e-Taiba’s utility notwithstanding, Pakistan and China are discovering that engagement with militants is never clean cut. Decades of Pakistani support of often Saudi-backed ultra-conservative Sunni Muslim militants has woven militancy into the fabric of militancy into segments of the military, intelligence, bureaucracy and the public.

“A military–mullah–militant nexus has existed for several decades in Pakistan. During this time, the Pakistani military has used religious and political parties connected, directly or indirectly, to various militant outfits as political proxies,” Mr. Tankel said.

National security expert S. Paul Kapur and political scientist Sumit Ganguly noted that “the Pakistan-militant nexus is as old as the Pakistani state. From its founding in 1947 to the present day, Pakistan has used religiously motivated militant forces as strategic tools…  Supporting jihad has been one of the principal means by which the Pakistani state has sought to produce security for itself.”

Decades later, the strategy is backfiring. Concern of increased domestic violence if Pakistan were to cut its links to militants and crackdown on them irrespective of their utility is heightened by the fact many of the groups operate either with no regard for the concerns of the security establishment or with the unsanctioned support of individual military and intelligence officials.

That is believed to have been the case in a string of sectarian attacks in Balochistan by Lashkar-e-Jhangvi (LeJ), ultra-conservative, anti-Shiite Sunni Muslim militants, in which hundreds of Shiites have been killed. China has also been a target of militants in Balochistan.

The spike in sectarian attacks prompted a military crackdown earlier this month. “While such intelligence-based operations are vital, they deal with the symptoms rather than the disease,” cautioned Dawn newspaper.

Speaking in September last year in New York when he was still foreign minister, Khawaja Muhammad Asif acknowledged that Mr. Saeed and other Pakistani-backed militants have become liabilities. But even so, Mr. Asif appeared to be looking for wiggle room.

“I accept that they are liabilities but give us time to get rid of them because we don’t have the assets to match these liabilities,” Mr. Asif said.

Continue Reading

Intelligence

Why America’s Torture-Chief Now Runs the CIA

Eric Zuesse

Published

on

On May 17th, the U.S. Senate Intelligence Committee voted 10 to 5 to approve Gina Haspel as America’s new chief of the Cenral Intelligence Agency. Back in 2002, she had headed the CIA’s “black site” in Thailand where she ordered and oversaw the torturing of Abu Zubaydah, trying to force him to provide evidence that Saddam Hussein was behind the 9/11 attacks, but Zubaydah had no such evidence and wasn’t even able credibly to concoct a story that President George W. Bush could use to ‘justify’ America’s invading Iraq in response to 9/11. Subsequently, Zubaydah has been held incommunicado in Guantanamo in order to prevent him from being able to be heard by the American public regarding what ‘our’ Government did to him (and possibly even in order to bring formal charges against the U.S. Government regarding its treatment of him), and (to the extent that he knows) why the U.S. Government did this. Even to the present day, the U.S. regime still has not brought any legal charges against Zubaydah, because it possesses no evidence that he was connected to the 9/11 attacks and hasn’t succeeded in fabricating such, but especially because it insists upon refusing to provide him a day in court in which the American public (and the world-at-large) might be able to hear the incriminating further evidence against itself, from him.

Haspel’s confirmation as Trump’s CIA Director is also confirmation that everything which candidate Trump had said on the campaign trail against America’s having invaded Iraq was lies from him, and that he is actually fully on board not only about that invasion, but about the continuing lies about it — and the cover-ups (which are, quite evidently, still ongoing).

If the U.S. regime is allowed to get away with this, then any pontifications from it about such things as “America is under attack” from Russia, and that there has been ”Russian election interference” involved in “this attack on the United States,” is preposterous, but is even worse than that: it is based on flagrant lies by, and on behalf of, a U.S. regime that tortures in order to obtain ‘evidence’ for its invasions, and that hides, for decades, the truth about this, from its own public.

A writer for the Brookings Institution and the Washington Post asserts that America’s Democratic Party’s “haste to brand President Trump a tool [of Russia]” is “unwittingly doing the Russians’ work for them: validating the notion that our democracy is a sham.” But perhaps the prominent publication, and think-tank promotion, of such writers as that, in the United States, is, itself, yet further evidence that “our democracy is a sham.” Only one scientific study has ever been published about whether America’s “democracy” is authentic or else a sham, and it found that this ‘democracy’ certainly is a sham, but the Washington Post and the Brookings Institution etc., don’t publish that information — they hide it, and you’ll see and hear about it only at ‘fake news’ sites such as this. (The real fake-news sites, in the English language, include all of the mainstream ‘news’media and almost all of the ‘alternative news’ ones — but not this site, which is one of the few that are in English and not fake ‘news’.)

The making-Director of the CIA, Gina Haspel, was a bipartisan action by this regime, this fake ‘democracy’, by two fascist political Parties; and, yet, the American public see and hear, in this nation’s leading ’news’ media, such drivel — accusations that Russia is doing, what the U.S. has actually been doing, for decades.

However, this isn’t to say that Russia has actually been doing these things, but only that the U.S. has definitely been doing it — and is set to continue doing it in the future.

Measuring American ‘democracy’ by how uniformly the U.S. Government carries out its “Cold War” against Russia — a ‘Cold War’ that never really was about communism at all but only pretended to be — isn’t just fraudulent, but it is downright stupid, and it seems now to be the established norm, in the United States. A dictatorship can fool its public like that; and, if it doesn’t, it won’t continue to rule.

So, in America and its satellites, Gina Haspel is a ‘patriot’ who wins a top post of power, while Julian Assange is not only an ‘enemy of America’ but one whom the U.S. and its satellites have silenced and are slowly killing. On 14 December 2011, the Washiington Post bannered, “Poll: Americans say WikiLeaks harmed public interest; most want Assange arrested”, and reported that “68 percent say the WikiLeaks’ exposure of government documents about the State Department and U.S. diplomacy harms the public interest. Nearly as many — 59 percent — say the U.S. government should arrest Assange and charge him with a crime for releasing the diplomatic cables.” The American people have been fooled to favor the regime in this, just as they were fooled in 2003,during the lead-up to the regime’s invasion of Iraq.

The reason why America’s torture-chief now runs the CIA, is that this is the way a dictatorship has to act in order to stay in power. And they need a gullible public, in order to be able to continue scamming the public, from one invasion to the next. That’s the unvarnished, and empirically proven, nauseating, truth. Gina Haspel and her promoters hide it from the public, but they can’t reverse it; and they are, in fact, dependent upon its continuation.

Continue Reading

Intelligence

The secret dream of all propagandists

Dr. Andrea Galli

Published

on

Not even a month after Mark Zuckerberg’s grilling at the US House of Representatives, Facebook is announcing a partnership with NATO’s social media propaganda organization: The Atlantic Council’s Digital Forensic Research Lab (DFRLab). The organization claims to be the guarantor in defending the public from fake news. In its arsenal of topics to be defended, there are, of course, the usual favorite arguments of NATO. Above all, there is a strong predilection to influence the public perception about governments opposing NATO’s great design and hegemonic ambitions: such as Russia, Iran, Syria, China, Palestine…

The press release of the organizations says: “Today DFRLab announced that we are partnering with Facebook to expand our #ElectionWatch program to identify, expose, and explain disinformation during elections around the world. The effort is part of a broader initiative to provide independent and credible research about the role of social media in elections, as well as democracy more generally”.

For the uninitiated, the DFRLab serves the American-led alliance’s chief advocacy group known as the Atlantic Council. Its methods are rather simple: it grants generous stipends and fantastic academic qualifications to various activists that align with NATO’s agenda. Just look at who funds the Atlantic Council: donors include military contractors such as Lockheed Martin, Boeing and Raytheon, all of whom directly profit from tensions with Russia, China, Syria… Meanwhile, in addition to NATO itself, there are also payments made by the US State Department, along with payments from the US Defense Department. Other major paymasters include the government of the United Arab Emirates, which is, of course, an absolute monarchy and other absolute monarchies in the region.

Facebook has partnered an organization funded by weapons manufacturers, the US military, and Middle-Eastern monarchies to safeguard the democratic process?  If Facebook truly wanted to “protect democracy and elections worldwide,” it would build a broad coalition of experts from a wide and disparate range of the countries it serves. Instead, it has outsourced the task to NATO’s propaganda wing.

This is a perfect situation for NATO and those who depend on it for their source of revenues and status. Because the NATO is now positioned to be the master of the Facebook servility in the information war on the social network battlefield. By marry a clearly biased actor to police “misinformation and foreign interference” and to “help educate citizens as well as civil society,” Mark Zuckerberg’s team has essentially made their company a tool of the US’s military agenda.

This is the dream of every propagandist: to infiltrate in an communication infrastructure present on every smartphone and home computer and used with addiction by the great majority of the population; to channel disinformations to the addicted public and to control “the truth”. The goal is always the same: to obtain popular support for financing the military apparatus and in the end, obtain popular support for a war. We wonder what this dream of propagandists has to do with the defense of democracy. It would come as no surprise that Facebook will be soon proclaimed a defender of freedom and human rights.

Continue Reading

Latest

Newsdesk6 hours ago

IRENA and Mission Innovation to Work Together on Renewable Energy Innovation

At the 3rd Mission Innovation Ministerial, the International Renewable Energy Agency (IRENA) and Mission Innovation, an initiative of 22 countries...

New Social Compact7 hours ago

Lithuania should focus reform efforts on improving quality and efficiency of health services

Lithuania has made strong progress in reshaping its health system since the 1990s but further reforms are needed to urgently...

Intelligence9 hours ago

Dodging UN and US designations: Hafez Saeed maintains utility for Pakistan and China

A recent upsurge in insurgent activity in Kashmir likely explains Pakistani and Chinese reluctance to crackdown on internationally designated militant...

South Asia9 hours ago

Excellency Narendra Modi when will you become Affectionate Neighbour?

Slavery was abolished in Islam 1500 years ago. Against this backdrop the Muslims of Indo-Pak subcontinent revolted against the “British...

Green Planet10 hours ago

We Innovate For Climate Because Our Future Depends On It

In Frankfurt this week, Innovate4Climate brought together climate leaders who recognized and applauded the growth in climate finance and innovation...

Energy10 hours ago

Offshore wind and hydrogen for industry in Europe

Fossil fuels currently play a critical role in industry, not only as sources of energy, but also of feedstocks and...

Newsdesk1 day ago

An economic space from the Atlantic to the Pacific

On the 23 May, in the run-up to SPIEF, a roundtable held jointly between the Roscongress Foundation and St. Petersburg...

Trending

Copyright © 2018 Modern Diplomacy