T H I N K I N G S T R AT E G I C A L LY A B O U T N AT I O N A L I N T E L L I G E N C E

You know that the best you can expect is to avoid the worst. 1

National Security as Managing Consequential and Catastrophic Risks. Today, Americans,

as well as citizens from many other countries of the world, find themselves living under a state
of exception. Normal is suspended. The unexpected almost always occurs. But with
uncalculable probability and consequence. It appears that the links among risk assessment,
risk mitigation, and the methodologies for establishing adequate budget have not yet been fully
explored or developed. Many initiatives are so compartmentalized and fragmented that it is
unclear with whom, or even where, responsibility resides, much less accountability for results.
We appear to be fighting point source threats on many fronts, but non-point, systemic threat
mitigation may still be under-focused on. Getting our arms around strategic issues of
consequential and catastrophic systemic risks may assist in developing the methodologies we
need to analytically establish prioritization and global budgets for risk mitigation initiatives.
Otherwise, its just more shoot from the hip, spend broadly, and hope for the best. Hardly a
recipe for success. My thoughts on thinking strategically about consequential and systemic
risks are at: http://www.scribd.com/doc/22163392/.

1Italio Calvino, If on a Winter’s Night a Traveler (1979) in William Poundstone, Prisoner’s Dilemma (New
York: Doubleday, 1992), 53.

Lyle Brecht Draft 1.1 Thursday, December 3, 2009 Page 1 of 6

 T H I N K I N G S T R AT E G I C A L LY A B O U T N AT I O N A L I N T E L L I G E N C E

National Intelligence as Identifying and Analyzing Consequential and Catastrophic Risks.

What, most of all, defines this discourse of exceptionality is the suspension of a willingness to
question the status quo of policy. Policy establishes much of our analytical frames of reference.
Policy also delimits our ability to identify risks and to mitigate these risks. Examples of policies
that, when analyzed, make no sense at all are legion today. Today, maybe the most immediate
global consequential and catastrophic threats are from nuclear war and from global warming.2

The risk probability of a nuclear war is directly determined by policy. This policy is a 60-year old
policy of nuclear deterrence based on an out-dated and largely disproved economic theory
called rational choice theory that was incorporated into the game of mutual assured
destruction.3 Is it rational to continue to play a game of nuclear deterrence that is out-of-date
and unwinnable? In the past 64-years, the world has allocated approximately $60,000 billion to
military defense. The world will spend $1,500 billion (U.S.) this year alone for military defense.
The overdetermining belief is that military defense primarily renders a nation safer. Is this belief
rational, given the constellation of risks that constitute national security today?

Scientists have proven with ever more detail and preciseness that global warming is occurring
today. Few members of the public would decide to challenge physicists concerning the details
of quantum physics. Claiming that the theory of quantum physics was a hoax would be hard to
swallow. Unfortunately, this questioning of basic physical reality (global warming and is effects
can be demonstrated as clearly as the effects of a nuclear explosion) has been used to forestall
policy development. The longer policy decisions are delayed and appropriate mitigation does
not occur, the more expensive the consequential effects. Today, if 350 PPM CO2 is the tipping
point (latest MIT studies), the cost of mitigation may exceed $20,000 billion. However, the
global consequences of doing nothing may result in the morbidity of as many as a few billion
humans, large numbers species lost and a worst case economic impact of $200,000 billion.
May I ask, how is it rational to continue to delay policy decisions when so much is at stake?
What are the intelligence requirements for an analysis of the national security ramifications?

Potentially, the largest national security threat to the nation’s functioning integrity most recently
was from the 2008 financial crisis. This was a glaring instance of markets (or anyone else) not
managing systemic risk. Trillions of dollars in CDOs (collateralized debt obligations) derivatives
based on the underlying asset values of mortgages on real property were sold. Hundreds of
billions of dollars in salaries and bonuses were paid to Wall Street executives and traders for

2 See “Consequential and Catastrophic Risks” at http://www.scribd.com/doc/22163392/.

3 See “The Economic Games Behind Nuclear Deterrence” at http://www.scribd.com/doc/20228926/.

Lyle Brecht Draft 1.1 Thursday, December 3, 2009 Page 2 of 6

 T H I N K I N G S T R AT E G I C A L LY A B O U T N AT I O N A L I N T E L L I G E N C E

selling these insurance contracts. Yet, as the CDO market collapsed, U.S. taxpayers were
asked, via the Federal Reserve and the U.S. Treasury to put-up approximately $17,489 billion in
reserves (potential future taxes).4 From an economic risk perspective, this event was of greater
consequence to the nation’s security, for example, than any war since WWII, or potentially a
larger threat than any anticipated terrorist attack from outside our borders. Was our Intelligence
Community (IC) up to speed in identifying and analyzing this systemic risk to the nation?

Risks to cyberspace are getting a lot of attention today. It is evident that a lot of work and
sound thinking are occurring. New, rich frameworks for public-private collaboration are being
explored, as well as some innovative market-based incentives. However, to-date, the thinking
regarding cyberspace security has primarily been a tactical-level exercise with many good
ideas focused mostly on conventional, malicious threats to cyberspace. Lacking is strategic
thinking and the methodology to set levels of capital allocation/budget for mitigating different
levels of risk.5
___________________________________________________________________________________

Below, are some comments on two recent public reports dealing with the threat of a terrorist
attack. The comments are illustrative of some of the larger risk identification, and risk mitigation
issues that I attempted to briefly explicate in my arguments above:

Preliminary Thoughts on “How Terrorist Groups End” RAND report.6

1) Page 3, Definition: “definition of terrorism, this monograph argues that terrorism involves the
use of politically motivated violence against noncombatants to cause intimidation or fear
among a target audience.” Potential problems:

(a) frame for what conventionally constitutes terrorism is based on hindsight bias and may be
ambiguous and/or too narrow. I am thinking, for example, of Germany under Hitler Russia,
under Stalin, Chile under Pinochet, Iraq under Sadam Hussein, etc. which are essentially
terrorist-run governments, exacting torture and “politically-motivated violence against

4Estimate of reserves from Nomi Prins & Christopher Hayes, “Meet the Hazzards,” The Nation (October
12, 2009) at http://www.thenation.com/doc/20091012/prins_hayes based on the analytical work
published in Nomi Prins, It takes a Pillage: behind the Bailouts, Bonuses, and Backroom Deal from
Washington to Wall Street, (New York: Wiley, 2009).

5See “Thinking Strategically about CNCI” at http://www.scribd.com/doc/15769323/ and “National Cyber

Systems Security Review Discussion” at http://www.scribd.com/doc/12659947/.
6Seth G. Jones and Martin C. Libicki, “How Terrorist Groups End: Lessons for Countering al Qaida,”
RAND Corporation National Security Research Division (2008).

Lyle Brecht Draft 1.1 Thursday, December 3, 2009 Page 3 of 6

 T H I N K I N G S T R AT E G I C A L LY A B O U T N AT I O N A L I N T E L L I G E N C E

noncombatants to cause intimidation or fear among a target audience” i.e. all citizens of the
country or certain out-groups;

(b) The presumption that “terrorists” are always part of an out-group, or not democratically
elected within existing political processes results in your statistics suffering from conjunction
fallacy where probabilities based on faulty definitional categorizations could get risk
probabilities very wrong;

(c) you may do better by including the idea of asymmetrical violence in your definition of
terrorism. Even that leaves gaps, but plugs some obvious holes;

2) Scope neglect. I am uncertain why 1960 was chosen as the beginning of the period for
analysis. For example, Vaclav Smil recognizes four distinct periods for asymmetrical violence:
(a) 1879 - 1919 Russia’s Narodnaya volya (the people’s will) targeted assassinations; (b)
1920-1960’s terror in the service of self-determination (more like the American Revolution
counterinsurgency activities); (c) 1960’s-70’s occupation protests (PLO’ IRA, etc.) and (d) 1979-
present religiously-inspired terrorist activities. We have data on terrorist activities from Biblical
times. What has changed over time? My own claim is that the terrorism of the future will be
non-stationary. Using historical data to assess risk will be of minimal value;

3) Anchoring. You are assuming terrorism is always a problem initiated by someone other than
us (America). The definition above should be strong enough to identify when anyone engages
in terrorism. E.g. In Iraq and Afghanistan, if you interviewed the local citizens, you might
discover that from their perspective, we came as liberators, stayed as occupiers, and then
became terrorists in our own right. However politically distasteful that analysis may be,
analytically, it may an important issue to get risk probabilities and planning/strategy dynamics
more right;

4) I would like to spend more thought on linking risk analysis with strategy and a methodology
for allocating capital to mitigate specific levels of risk. What I have seen since 9/11 is a
disjunctive between strategy, risk, and capital employed to mitigate that risk. Instead of an
analytical process to accomplish this, the process has been highly politicized and topical.

Thus, excessive capital has been over-employed to mitigate some popular risks, other
important, less understood risks have gone wanting for budget, and budget has been wasted
on mitigating some common risks that cannot be effectively mitigated by any amount of
capital. That is, strategy, budget, and risk reduction have not been coordinated, have not

Lyle Brecht Draft 1.1 Thursday, December 3, 2009 Page 4 of 6

 T H I N K I N G S T R AT E G I C A L LY A B O U T N AT I O N A L I N T E L L I G E N C E

grown from solid analysis, and have largely been ineffective if one calculated an EROIC
(economic return on invested capital) to address risks.

Preliminary Comments on “Rare Events” MITRE report to DOD’s Strategic Multi-Layer

Assessment (SMA) program.7

In B1 “Is 9/11 an Outlier” the report calculates (p) = 25.7% for a 9-11 event for the 38.5 year
period from 1968-2006. I can see where you arrive at this calculated result, but conceptually, I
am wondering exactly what the report means to convey:

(a) by 9/11 ʻrare eventʼ do you mean an event that produces ~$90 billion in property damage
and kills at least 3,000 people or an event that is 3 standard deviations beyond a ʻnormativeʻ
terrorist attack?

(b) the 27.5% (p) of this rare event is calculated post retrospectively. Is that even useful? I am
thinking that before 9/11, maybe up to the summer of 2001, that the predicted (p) of a 9/11
event would have been negligible, and even during the summer of 2001, when the (p) of a
terrorist action might have been confidently predicted at >90%, no one would have imagined
a 9/11-type rare event, because such an event had never occurred in history (or at least
knowledge of history accessible to those making such assessments);

(c) I guess what I am getting at is that w/o constellated event data to input into our (p)
calculations, all we can do is predict that something greater than normative may happen with
x probability, assuming we are on a Cauchy-Lorenz distribution. What we cannot do with any
precision is to predict where we are on that fat tail w/o more data. That is, we can be at a
9/11 rare event, or at the level of a rare event that has destroyed Cleveland w/ a nuclear
weapon, pre-retrospectively;

(d) Which brings me to B2 “Odds of 9/11 Scale Event in Next Decade” where calculated (p) =
6.7% over the next decade. Is this just a proportional calculation - that over the next 38.5
years the (p) of 27.5% between 1968-2006 is reconstituted post 9-11? I donʼt believe so. If
we are already on the fat tail of a Cauchy distribution, our probability in the vicinity of a
recent ʻrare eventʼ should increase by some factor e.g. if I am already in a drought year (now
defined by non-stationarity, rather than by stationarity), the probability of next year being a

7DOD Research & Engineering’s Strategic Multi-Layer Assessment (SMA), MITRE’s Jason report, “Rare
Events” (October 2009).

Lyle Brecht Draft 1.1 Thursday, December 3, 2009 Page 5 of 6

 T H I N K I N G S T R AT E G I C A L LY A B O U T N AT I O N A L I N T E L L I G E N C E

drought year is much higher than if I was on a Gaussian curve. The joke in the water supply
business is that it appears a 100-year drought now occurs every 20-60 years, rather than
every 100-years.

(e) What I am getting at is that once a ʻrare eventʼ occurs in reality, it reflexively changes the
distribution curve. The old curve no longer stands, assuming that learning can occur (e.g. its
not about the (p) of an asteroid striking the earth).

(f) Thus, I would recommend that the (p) of a 3-sigma terrorist event occurring w/in the 10-
years following 9/11 is actually much higher than pre-9/11. There are two gottchaʼs for this
more probable ʻrare eventʼ however: (1) the rare event may be so different than a 9/11-type
event, that we may not recognize it at first as a terrorist ʻrare eventʼ (I am thinking, for
example, of a human-induced cascading failure of our cyber-network, etc. that does not kill
people, but destroys GDP potential of the nation); and (2) the probability of a rare event
occurring via malicious intent my be much lower than that of a similar rare event occurring
due to systemic structural causes that may not be malicious, but accidental, due to
inadequate O&M and R&R or chance occurrence that brings the system to a collapse state.

(g) In fact, I contend that capital spent planning for the rare event may produce a better EROIC
(economic return on invested capital) focusing on structural system vulnerabilities than
primarily on identification and apprehension before-the-fact of malicious human actors. That
is, spending capital to improve system resilience should a rare event occur, may produce
greater benefit than attempting to thwart and anticipate all rare event threats where human
actors have both intent and capacity to adversely disrupt the system state under
consideration.

Lyle Brecht Draft 1.1 Thursday, December 3, 2009 Page 6 of 6