Security concerns remain high as the Summer Games open in Athens this month, with international threats as well as domestic ones: Greek terrorists set off three bombs in the city on May 5.
Although the explosions caused no casualties, they underscored the palpable tension that permeated last-minute Olympic preparations. The last thing the International Olympic Committee wants is a repeat of the 1972 Munich disaster. Black September terrorists held the Israeli wrestling team hostage, and an aborted attempt to free them by West German law enforcement resulted in the deaths of the terrorists, all of the athletes, and their coach.
Following those tragic days of 32 years ago, geopolitically charged terrorism has soared to unprecedented levels. Of course, this was never more apparent than on September 11, 2001, and these Summer Games are the first since that date. Billions of viewers are expected to watch different portions of the athletic competitions. For terrorists who thrive on publicity to stir up insecurity and fear, the Summer Olympics becomes a very tempting target.
Compounding the problem, Athens is a port city that can be reached by sea, air, and land. Unlike Salt Lake City, host of the 2002 Winter Games, Athens is much closer to the centers of Islamic discontent, greatly simplifying the terrorists' travel logistics. On the other hand, the Salt Lake City Olympic organizers succeeded in keeping the games incident-free (save for a skating event judge's scandal). So, there's a precedent for successful prevention.
Where does engineering come into the picture? An effective security system always blends people, policy, and technology. In network security, the most advanced technology in the world will be useless unless the people who attend it are both competent and fully briefed on policy. It does no good if the technology identifies a breach but the person responsible for taking action doesn't know what to do. The same is true for security against terrorism. The engineers who construct the system must think beyond the technology to the people who will wield it and the policies that will drive it.
One problem in the early stages of the World Trade Center attack was the lack of communication between the various first responders. No one had planned for a need to tightly coordinate a massive response by police and firefighters. While one organization called for a rapid evacuation of the buildings, another advised people to go back to their offices and wait. In the midst of the chaos, there was no clear plan for "who has the ball," so the confusion nullified the extant policies.
Salt Lake City security organizers learned from that experience. A key element of their system was rapid dispatch of information to wherever it was needed, despite the collaboration of more than 60 state and federal agencies who otherwise rarely communicate with one another.
VENDORS DIFFER FOR IT, SECURITY
Atos Origin, a multinational systems integrator, put together the IT system that underpins the admission of athletes, visitors, and other people and handles the logistics of moving athletes around to the various venues in time for posted events in Athens. The security system comes from a consortium led by Science Applications International Corp. (SAIC), the U.S. company that developed the system for Salt Lake City.
Both vendors have been somewhat hampered by delays in construction progress that have plagued Athens' Summer Games effort. As the clock continued ticking, everyone including these vendors scrambled to make sure all systems were working as intended. According to Yan Noblot, information security manager, as of early June, Atos Origin was engaged in 200,000 hours of testing based on about 5000 test cases. He anticipated finding around 10,000 defects to correct before the opening ceremony.
Though less worrisome than physical damage and human casualties, the Summer Games organizers wanted to decrease the odds of a successful hijacking of the IT system or any of its components. Each system has at least two cloned backup systems. Even the data center, situated in a top-secret Athens location, has a twin that's remotely located and tasked with protecting the information and information flow even during an earthquake.
But that's not all. Intrusion points like USB ports and removable storage drives were eliminated from all 10,500 system PCs. Of course, everything is equipped for anti-virus, firewall, and intrusion-detection functions. Organizers hope that will take care of the external threat. A complex of identification and access-privilege management schemes will handle internal threats. These developments all aim to ensure that only the persons authorized to use any system can actually do so.
NEED TO BE OPEN AND SECRET
For obvious reasons, there's a dilemma surrounding information about security preparations. On the one hand, there's a need to let potential attackers know that any wrongdoing will be very risky and difficult. But many details must be kept secret so no one can exploit the information to disrupt the system.
The Olympics PR machine has disclosed, for example, that 70,000 people are working in security in some capacity. That's nearly seven security personnel per athlete! Olympics organizers also said the system has about 1400 surveillance cameras operating 24 hours a day, seven days a week, with most situated in Athens itself. About 1250 infrared and high-resolution cameras are mounted on concrete columns in the city (see "Down To The Wire," p. 48), and surveillance equipment is in place on 12 patrol boats, 4000 vehicles, a blimp, and three helicopters.
The SAIC consortium, which includes Siemens and Nokia, created security command centers that act as a command and control hub for Greek police, fire departments, armed forces, coast guard, and first aid. But the real magic is in the algorithms and interfaces that permit fast identification of potential threats and immediate remediation. Such information is kept very close to the vest.
Even with 70,000 people dedicated to security, lots of holes remain. So in addition to effective and rapid communications, the security heads must also take advantage of risk profiles and human intelligence gathering. The ideal, of course, is to get wind of a potential threat while it's still outside Greece. In practical terms, though, the system must provide concentric security coverage. The number of people involved and the security measures must intensify, geometrically, as one gets closer to the Games venues.
A HIGH-STAKES GAME
Security is a high-stakes game. Terrorists want to strike a target where they can affect the most casualties and damage. Enclosed venues tend to concentrate and focus explosions and aerosols. Outdoor venues tend to draw the largest crowds. Some events attract more attendees and more television viewers than others. Using risk analysis, one can begin to prioritize the deployment of personnel based on the likelihood of different attacks. That way, instead of spreading resources evenly, they can be proportioned and focused based on probabilities.
By the same token, potential attackers may try to outfox the hunters by picking a less likely spot to ambush. Therefore, to be really effective, the deployment algorithms must be designed to be quickly interrupted and "subroutined," allowing for rapid redeployments as risk profiles suddenly change. For example, if the regular algorithm had deployed a large contingent of security people to two high-profile and well-watched events, but a high-resolution security camera spots a known terrorist suspect near a less popular event, a reserve of security personnel could be quickly dispatched to the latter event. Also, more stringent entry ID checking could be immediately invoked.
Stories about the Athens Olympics security preparations talk about cooperation with NATO to help secure Greece's borders. In truth, the first level of prevention and detection happens outside the country. Embarkation airports and seaports and border controls at border access points are the first opportunities to identify suspected terrorists heading toward Greece. Earlier intelligence gathering that indicates a plan by someone of interest to do so can now be corroborated with real travel and destination. It's very important that the security databases be up to date and that identification systems rely on more than names and home countries. In cases of doubt, photo and fingerprint ID become critically important at all points of entry into Greece (see "Simpler Tools Aid Security Preparation," DRILL DEEPER 8482 at www.elecdesign.com).
One can't count on a single security sieve to weed out the bad guys. The sifting has to be repeated with finer sieve holes as the timeline inches closer to Summer Games venues. Moreover, one can't rely too heavily on technology alone. A planned attack on Los Angeles International Airport was thwarted not by technology but by the visceral reaction of a female border control agent on the U.S./Canadian border. People are the most important component of the people-policy-technology triad.
LOW LATENCY IS CRUCIAL
In designing an effective security system, it's critical that user interfaces be very intuitive and that the roster of features and benefits corresponds to real user needs and overall system-integration requirements. The time between when a border agent inputs a suspect name and passport number to the time that information is sliced, diced, and becomes part of the active security database should be minutes, not hours. Similarly, it should take only minutes for a critical piece of intelligence to enter the system and be dispatched to appropriate personnel at various locations. Technology can certainly gather, sort, and dispatch information quickly. But personnel must sort out the highest-priority data from the rest to prevent overloading the overall system with too much information.
In a major design challenge, initial priority tagging of incoming information must be consistent and policy-driven. Therefore, those who decide how to treat the information have visual cues before they ever look at the information, as well as confidence that the tags are applied consistently. They need to get the information in a form that lets them make quick decisions and direct the information with a single keystroke. This first level of sorting is probably the most crucial. A critical balance must be struck to avoid information overload and prevent suspect IDs from falling through the cracks.
Yet even with an unlimited budget and time, someone could always get through. The first priority is to make access as difficult as possible. The second priority is to detect, as quickly as possible, when someone has slipped through the defenses. Just as important are effective contingency plans for limiting the loss of life that may accrue.
At the Salt Lake City Olympics, newly developed detectors were in place to identify assaults using chemical weapons. Although not publicized, similar technologies most certainly are set up in Athens looking for chemical, biological, and radiological presence. At Salt Lake City, supplies of first-aid remedies for all means of attack were kept near each venue to shorten the time for first responders to be able to treat victims and save lives. It's safe to assume that similar steps were followed in Athens.
The critical element in this very complex system is the one that coordinates all of the separate pieces to allow for very focused responses to one or a group of simultaneous attacks. As we've seen in several instances, terrorists will sometimes attack in a series of coordinated assaults. The September 11, 2001 planners tried to coordinate attacks on the World Trade Center, the Pentagon, and the Capitol. The March 11, 2004 Madrid train bombings staged nearly simultaneous explosions inside crowded commuter trains.
In spite of the challenge, Greece proclaims great confidence. "We can guarantee absolute security, not only in the Olympic venues but in the city as well," said Colonel Lefteris Ikonomou, spokesman for the Ministry of Public Order. "We have spent lots of money, the first time such huge sums have been spent in Olympic Games history. We will also have the greatest number of personnel in the history of the Games. Greece has done everything it can to prevent any attack, including a biological attack."
AN IMMENSE, COSTLY ENDEAVOR
The cost of providing security at the Olympics has risen steadily since 1972, and it has spiked up sharply in the wake of September 11, 2001. Athens will have spent nearly $2 billion on Summer Games security, which is a significant proportion of the total Olympic budget reputed to have risen to over $7 billion. (The original budget was $5.5 billion.)
Some last-minute cost-cutting moves were made, such as scrapping a large, sundial-inspired monument and replacing it with a simpler, lower-cost fountain. But no one has publicly said that any part of the security budget has been diminished. "I hope that Greece will continue to give the highest possible priority to security measures," said the European Union's anti-terrorism coordinator, Gijs De Vries, in mid-June.
To put the 2004 Games in perspective, the Salt Lake City Winter Games hosted 2500 athletes and 55,000 visitors. The intensified security perimeter covered over 900 square miles and 20 venues. Athens will host more than four times the number of athletes and 2 million spectators. It shares long borders with Balkan countries and is a stone's throw from the Middle East.
The Athens Olympic organizers created an Olympic Advisory Group, a seven-nation team experienced in security planning and execution. It comprises members from Australia, France, Germany, Israel, Spain, the U.K., and the U.S. Because it's in no country's interest for the Olympics to be marred by terrorism, both official and unofficial intelligence sharing is going on, as there was for Salt Lake City.
In the final analysis, nothing we do is risk-free. Despite Greece's optimism, efforts, and expenditures, no security system is absolute. We know Athens has made security a high priority. We also know it has invested a large proportion of its budget to decrease the risk of terrorist incidents. Many athletes and visitors have decided that those risks are acceptable. Some have opted not to be there. Both are valid, informed decisions.