Monday, September 16, 2013

The Fortress Myth

For the second time in less than four years, there has been a mass shooting at a U.S. military installation.

According to Washington, D.C. Police Chief Cathy Lanier, at least 12 people were killed this morning at the Navy Yard in the district's southeastern area, on the banks of the Potomac River.  The shooting occurred in a building that housed the Naval Sea Systems Command headquarters building.  More than 3,000 military and civilian employees worked in the facility.

As many as three gunman may have been involved in the shooting. At a press briefing shortly after 2 pm Eastern Time, Chief Lanier told reporters that one shooter was killed by security personnel responding to the incident.  Fox News (and other media outlets) later identified as 34-year-old Aaron Alexis from Fort Worth, Texas.  According to some reports, Alexis was a Navy contractor who was recently hired to work by The Experts, an IT firm working with Hewlett-Packard on a project involving the Navy and Marine Corps intranet.  A senior executive with The Experts said that Alexis previously worked for the company in Japan in 2012.

At mid-afternoon, the search for other suspects was continuing.  At least one individual, reportedly wearing a "tan-style" [Navy] uniform had been contacted by authorities and cleared as a suspect.  But police were still looking for another person, also clad in a military-style uniform.  By late evening, police had dismissed the theory of additional gunmen, deciding that Aaron Alexis acted alone.

Earlier reports on the dead gunman--which identified him as a retired Navy officer or Petty Officer--proved false.  Those initial accounts were reportedly based on a military ID card found at the scene, raisinig the possibility that a lost or stolen card was used by the shooter to gain access to the Navy Yard.  While that scenario has subsequently been dismissed, ID cards remain a security vulnerability for DoD.

To gain access to a base or facility, individuals are required to present an ID card at the gate or entry control point.  Those cards are issued by the military, at the Pass and ID facility that can be found at almost every base.  Active-duty personnel, uniformed reservists and eligible contractors receive a common access card (CAC) that contains a computer chip.  Other members of the military community, including dependents and retirees, are issued a uniformed services ID card.  That latter card utilizes older technology which can be more easily duplicated, or forged.

As I type this post, I'm looking at my own uniformed services card, issued when I retired from active duty more than a decade ago.  The picture is faded and the lamination could be easily pulled back, allowing someone to alter the photograph or information imprinted on the card.  There are also numerous on-line firms that will provide a phony military ID, for a price.

But even if the bad guys get their hands on an ID card, there are supposed to be additional lines of defense, starting with the guard at the gate, or entry control point.  Some are military police; others are civilian contractors.  DoD regulations require that security personnel check the ID of everyone attempting to enter the installation.  The operative word is "check."  In some instances, ID cards are scanned; the portable device is linked to the DEERS database, so if the card has been lost, stolen or it's a forgery, the guard will be instantly notified.  Security personnel are also required to visually inspect all cards presented for entry, ensuring that the photo matches the face of the holder, and and key elements (such as the branch of service and DoD shield) are present.  If something seems amiss, security personnel are authorized to turn away or detain suspicious individuals.

Sounds reassuring, right?  Think again.  At the height of morning rush hour, guards manning the installation's access gates or entry control points have only a few seconds to inspect each card.  Anything beyond a cursory review would create traffic jams in just a matter of minutes.  Additionally, you'd be surprised to learn just how infrequently cards are scanned against the data base, and how few bases require individuals seeking entry to obtain a visitor's pass.

Let me cite a personel example: in my current job, I visit military installations around the country and in some cases, security is surprisingly lax.  A few weeks back, I visited a major Army post in western Texas; that particular base is an open installation; anyone presenting a valid ID (including a driver's license) can access the post.  Among the bases I travel to on a recurring basis, none are open posts, but almost none bother to scan the ID cards that pass through their gates.

Given those realities, it's little surprise that the shooter (or shooters) was able to breeze onto the Navy Yard this morning.  Once inside the gate, it was simply a matter of finding a parking space, grabbing weapons and heading into the building.  More detailed vehicle checks, which might have uncovered Alexis's small arsenal, are rarely conducted, particularly during morning rush hour, when hundreds of drivers are attempting to access the base.
There are obvious solutions for these problems.  First, bring back base decals which were required for years on the front of vehicles allowed to access the base.  The decals, which were eliminated in a cost-savings measure, provided another level of verification for individuals entering the post.  Now, in the "post-decal" era, virtually any vehicle can enter the post, as long as the driver presents a valid ID card.

Additionally, the Uniformed Services ID Card should be upgraded, making it more resistant to tampering and forgery.  Few would argue that retirees and dependents need CAC cards, but incorporation of biometric and tamper-resistent features would make it more difficult for criminals, terrorists and psychopaths to obtain phony documents.

Beyond that, the inspection process at the gate must become more careful and detailed.  Every ID card should be scanned and if the holder can't be found in the database, access should be denied.  If the card isn't scanned, it becomes relatively easy for individuals to enter the post, using forged or stolen identification cards.

DoD should also spend whatever it takes to clean up the databases used to issue and track ID cards.  Unfortunately, the system doesn't always catch important changes, such as the death of a military retiree, a new marriage, or the loss of an ID card.  Consequently, a clever criminal or enterprising terrorist stands a good chance of getting on base with a stolen or forged card.

There's nothing particularly "revolutionary" about these fixes--just implementing corrective measures that should be mandatory on any military installation.  And here's another idea: why not put more armed personnel on patrol around the post?  Every armed forces organization have individuals who can be trained and pressed into service as security augmentees.  A greater armed presence could have a deterrent effect on individuals contemplating future attacks.  Another solution is allowing some service members to enjoy the same, concealed carry rights afforded to their civilian counterparts.

In an era when many Americans have no contact with the military, they (incorrectly) assume that military bases are virtually fortresses, and almost impervious to this type of attack.  Those of us who served knew better; the Fort Hood massacre exposed the vulnerability of military posts to this type of assault and today's events at the Navy Yard only reaffirmed those weaknesses.

So far, officials are dismissing the possibility of terrorism, even though multiple shooters may have been involved.  But rest assured that Al Qaida was watching and taking notes.  Today wasn't the first mass-shooting incident on a U.S. military base and it certainly won't be the last.

Subsequent reporting on Aaron Alexis reveals that he served four years on active duty in the Navy (apparently in the Dallas-Fort Worth area), but was eventually discharged for disciplinary reasons.  Still, Alexis managed to reach the rank of Petty Officer Third Class (E-4), which is common for a first-term enlistee.  And, despite the disciplinary issues that ended his Navy career, he was hired twice by the same defense contracting firm. 

Hmm....sounds vaguely reminiscent of Edward Snowden, the IT contractor accused of revealing hundreds of sensitive NSA secrets.  Despite getting bounced from Army basic training (and his lack of a high school degree), Snowden was hired by at least two defense contractors and given a TS/SCI clearance.  There were plenty of reasons to deny employment--and a clearance--to Mr. Snowden, but he was hired anyway and we know what happened after that.  Likewise, Alexis's dismissal from the Navy should have raised red flags about his suitability to work as a defense contractor, but he still got the job.  Alexis was preparing to start his new job at the Navy Yard at the time of the shooting and it's still unclear what prompted the rampage, though the former sailor had anger management issues.           



Ray said...

Is there a technical or legal obstacle to using a biometric method (like, say, an iris scanner or thumbprint reader) to authenticate every person entering the base?

Even on an older model ID card without a radio tag a camera with modern OCR software can easily read off the ID number and name and compare it with a central database to verify identity.

I was astonished to hear that somebody could've gotten into a sensitive naval office building with a stolen ID. At the agency I worked at many moons ago, your id was combined with a PIN number you had to enter at the turnstile, and that was when biometrics was much less advanced.

James said...

From my own experience (years ago) access to even highly secure establishments could vary according to the attitude of the people in control of the entry/exit points of a facility. Also as you pointed out the problem of places with alot of civilian traffic being able to do "business" or be secure. As long as there is the view we are "not" at war it's going to be hard to maintain physical security.

TrT said...

Assume 2000 people, 1 minute per check, and 10 guards.
Thats over three hours entrance time.

Even with 50 entrance points, its 40 minutes to clear everyone.

Such security might keep out the crazies, but your giving them one hell of a target outside the barrier to hit.

You cant have a secure facility that lot of people access frequently.
You just cant.

MarkD said...

Arm all your Staff NCOs on duty while on post. We will not lock up the dangerously insane until they do something. We will not prevent the next attack. We can minimize the damage.