Cyber security deals with proliferation of insecure devices at a mass scale similar to the volume of guns. Cyber and physical security have overlapping protection concepts: The scale and insights of cyber illustrate why our current debate is frozen with people arguing the same tireless points that in the end marginally prevent mass shootings. If nothing else, here is the takeaway: The debate is stuck because we are focused on how to prevent a weapon from getting into an attacker’s hand or how to respond when one does. Real solutions need to address mass shooting root causes: the solutions lie in the actor of the crime, not the instruments of the crime. The focus of the public discussion on real solutions to preventing mass shootings needs to change from objects to people. Cyber security can help us illustrate why.
All security is applied in layers: there is no single magic solution. Although each defense layer helps, the public should have realistic expectations about the effectiveness of the measures applied at different layers. Each measure put in place has a countermeasure that can be used by an attacker. This measure-countermeasure duality is a never-ending arms race between good and evil. We need good to triumph, but the unfortunate fact of life is that evil sometimes wins in this duality. The public must not be lulled into a false sense of security by feel-good politicians and activist journalists engaged in security theater. Below are pragmatic arguments: they not political ones. Our aim should be that a would-be attacker never shows up to commit the crime.
Professionals may use MOM — Means, Opportunity, and Motive — to analyze security situations and develop solutions. In the case of mass school shootings our objective should be to find and implement preventive security solutions that are scalable, cost effective, pragmatic, and effective against a determined attacker. To illustrate that which may work and that which won’t we will use MOM to illustrate the limits of the popular suggestions: MOM will also point us to solutions which are not focused on in popular culture. Denying an attacker one of the MOM categories is normally enough to prevent the crime itself. Let’s take each MOM category in turn.
Means. Let us simply call this section to which it applies for what it is—gun control. In the current case of firearms in America, the logic when it comes to the means is deceptively simple yet wrong. The idea is: Take away the tools and you will stop the fatalities. Guns may be touched and felt; they are the most tangible aspect and, for this reason, the area on which people tend to focus. In America restricting or banning the tools is the least effective layer to place a solution. Every smart electronic device — computer, tablet, phone, TV, etc. — may be turned into a cyber weapon. Every one. Cyber security professionals cannot prevent an attacker from turning a device an attacker owns into a cyber weapon. And, professionals do their darnedest to prevent an attacker from weaponing and controlling systems to which an attacker should not access. Similar to a gun, it is the intent of the attacker that turns a benign object into a destructive one. To help reduce the risk of these devices becoming weapons not owned by an attacker, cyber security uses end-point protection: It is changing the default properties of the electronic device to prevent an attacker weaponizing it. Guns, by contrast, are “dumb.” They cannot be updated or controlled in any way. They cannot be remotely managed like electronic devices. The only solution with impact at this layer would be to significantly reduce the number of guns themselves. Just like one cannot recall hundreds of millions of electronic devices, one cannot recall hundreds of millions of guns as some have proposed. Given their volume not only would it be extremely expensive, prone to being significantly incomplete, create a black market, be a radical change to the American culture, and would violate an Americans’ constitutional rights, there is no good reason to believe it would work well: attacks in Europe and Australia demonstrate that motivated attackers find guns somehow. Mass school shooters are motivated; they plan out their attacks.
What about changing the components of the weapons? With an eye to the future, the potential ubiquity of 3D printing will give any individual in the world the ability to be their own manufacturer and create the weapons and components of their choosing. What good are banning assault weapons, reducing the magazine size, raising the age requirement, background checks, etc. when someone can print what they want in their bedroom? Even now, before mass 3D printing, a determined attacker can purchase any restricted item needed on the black market.
Background checks may be a great means for stopping crimes of passion but they are of limited value when stopping someone dedicated. In cyber security we call this the problem of the insider threat; exemplified by Snowden, it is a person who abuses their granted rights. A mass shooter authorized to purchase weapons has a significantly less chance of being caught. In the case of guns, the Means category shows us that solutions here — security mechanisms around access to devices and their components — are of very limited value. They are mainly implemented for the emotional value of citizens than their potential effectiveness. Simply put, in the case of a determined mass shooter, there are no significant or moderately effective counter-measures here.
Opportunity. Security professionals usually define this as either enabling circumstances or the targets of attack. The popular discussion in this category revolves around arming and fortifying schools: metal detectors, armed guards, armed teachers, concealed carry, air marshal equivalents, buttons which lock doors, alarm triggers, etc. Frankly the solutions proposed in this category will be more effective: In terms of mass school shootings, security at this layer is close or implemented throughout the geographically fixed target of attack. An example of how this works in a different context would be the security setup at a major event such as the Superbowl. Recall, our goal is to prevent an attack from starting. In a mass shooting the security recommendations in this category are mainly a responsive measure to something, an attack that is occurring or about to occur. Plainly, a kid shows up to school with a gun and then security actions are taken. These measures should be viewed more as a defense to an attack in progress, although there are some deterrent affects here too that would fall under prevention.
From a cyber security perspective, we can again use the concepts of end point security to analyze fortifying educational institutions. The changing of the settings on an operating system configuration to harden it is one aspect of end-point security that may be likened to that of school fortification. And, like cyber, different school environments have different levels of risk and should probably have different hardening configurations. Immediately there is a significant difference between cyber and physical: ease of applying these security measures. In cyber we can make a configuration with numerous setting changes, test it, and deploy it to update computers we control across the world en masse with relative ease and relatively little cost. This is not true for physical locations. We cannot update all of our schools without immediate and potentially significant costs; physical solutions don’t scale well here and their application is not universal.
From the cyber security perspective this is also a centralized versus decentralized protection problem. We learn from cyber that protecting a single server in a single location would be more cost effective than protecting thousands of servers spread across the world, each with a unique configuration. The same holds true for schools: The cost of fortifying each school will increase with the amount of protection and the repeated maintenance of that protection. And, pragmatically, the amount of school fortification might normally be very limited in scope given the costs, especially since schools were not designed to be fortified. It may not be possible to deploy enough security controls even if there is a desire to implement them. Given the number of schools attacked by a mass shooting relative to the cost of protecting all schools for an anomalous black-swan mass shooting event points to fortification as a non-optimal solution in the Opportunity category. In addition to the protection costs there are additional trade-offs: The educational environment would continue to be fundamentally changed. Changes at this layer should probably be decided at the state and local level and be community-dependent. Not every community may want to fortify their school in the same way, fortify to the same extent, or even fortify at all. Concretely and respectfully, the “concealed carrying teacher” may be a solution for a community in Texas but not for a community in California. Again, the fortification possibilities being debated in the popular culture at this layer are about detecting and reacting to something in progress rather than a real preventive solution. Furthermore, while it’s beyond the scope of this article to discuss the failures of these security measures in the time of crisis, that is another aspect of the risk equation and the public needs to have the proper expectations set in this regard.
Motive. What drives an attacker? What is their incentive? According to MOM, without an incentive the attacker would not be motived to commit the crime. Consequently, disincentivizing a would-be attacker is a layer of protection aimed at being a true preventive measure. In contrast to serial killers— who aim to work in secret—one primary aim of mass shooters is notoriety. It is something we should deny them. We should deny them their months of media coverage and news cycles. We should rewrite the ending to the Columbine “mass school shooting” “cultural script” now copied by attackers. The mass school shooting is a means — an abstract instrument — to the final aim of exploiting the media to elevate the attacker’s profile through hype and sensationalism to direct attention back to their self-esteem needs. The attackers are implicitly exploiting and using journalists making them complicit in fulfilling their ends.
One “notoriety reduction” solution aimed to disincentivizing the attacker is to change how we communicate information. In cyber security we control this information flow to reduce an attacker’s knowledge and ability to attack before computers and devices are updated. We call it Responsible Disclosure. While eventually all information is usually made public it is disclosed in such a way to prevent as much harm as possible. Content publishers may borrow ideas from cyber’s responsible disclosure but would ultimately need to craft their own mass shooting reporting protocol aimed at this disincentivizing. One narrow suggestion may be to change the language, tone, and overall communication style — perhaps limiting or forbidding initially publicizing the attacker’s name and likeness — when reporting or covering such crimes to reduce sensationalism in order to disincentivize future occurrences.
A responsible press is not contradictory to a free press: Responsible disclosure should not be considered censorship or self-censorship, just a procedure to deny an attacker their immediate recognition and glory. A solution at this layer fits the criteria set out in the introduction of this article. Since it is mainly a procedural issue, the overhead of this solution is nominal, cost-effective, and adoption should be near universal. The examples above build communication prevention around the particular motive of notoriety; other motives may mean other solutions.
We can also be proactive to detect the motivation of an attacker. These are additional preventive measures that aim to intercept someone before they show up to cause harm. In cyber we call this threat intelligence. Attackers leave clues as their motivations with friends and/or on social media. Our ability to search and find specific data is better than ever before. Public-private partnerships between major and minor social media platforms may be leveraged to report leads to law enforcement in regards to mass shooting specific content, behaviors, and images tied normally tied to school shootings. Teachers should have reporting mechanisms once they identify students who may hurt one’s peers. Teachers should have a way to get the mental health of such an individual addressed. Students need to feel safe to report their concerns to school administrators if they see or suspect something. With the proper balance of civil rights, law enforcement can monitor the underground school shooting culture in the public sphere in the same way they monitor for terrorists. Might there be potential for artificial intelligence here too? Although we may need more investment for this protection mechanism that follows, leveraging existing law enforcement protocol infrastructure for following up on potential mass shootings leads would be cost effective and is already in place, especially from dealing with terrorism. Here we just need to do what we’re doing even better and more of it. And, we need to make sure the existing security controls in place are effective and executed in accordance to established law, procedure, and best practice. These are the active and engaged human elements of prevention; not passive laws.
In cyber we have security awareness campaigns. We also need to pro-actively disseminate a clear cultural message to would-be attackers to disincentivize or change their motive. These messages should be widespread, perhaps through TV and online campaigns. Public Service Announcements (PSAs) are a past example of awareness campaigns although both private and public entities may be more creative in their communication efforts and material. We should give such messages both a positive and negative content. On the positive side we should communicate that we have an outlet for them as alternatives to committing crimes. Perhaps I’m not the most articulate with the following illustrations but I hope they get the larger point across: It needs to be communicated to would-be attackers that they can use their pain as fuel to do something positive in life. Transfer that internal fire to a project or activity that will benefit themselves and others. We need to communicate to them options such as becoming an athlete, studying a subject matter, or creating a solution to a problem: Write fiction, non-fiction, poetry, short-stories, a book, a movie; become an actor; learn to code and create an app: encourage them to redirect the anger to something positive. Properly set their expectation that there will be a lot of hurdles and not to expect a success overnight. We need to also communicate that there are professionals waiting to help. This may be one-on-one or simply a larger awareness campaign to help reach such alienated youth. Doing works. On the negative or consequence side, our collective social public message should be clear: “You will not gain the notoriety you seek; we as a society will swiftly punish you to the maximum possible (death) and you’ll be swept into the dustbin of history as a nobody. You will not even be forgotten, because you will remain an unknown.”
Again, there is no magic solution at the Motive layer either. Similar to the idea that companies and organizations develop a culture of security to reduce risk, American culture needs to modify and remove the enabling human cultural factors in order to prevent mass shootings. And the security mechanisms above are not the only options available: they are designed to be concrete enough to be grasped and to change the nature of the debate. They are sample illustrations on how to better reallocate resources to prevent these crimes from potentially occurring in the first place.
We used MOM to see that the most fruitful avenue to prevent a mass school shooting is though the motive or psychology of the would-be attacker. The most effective solutions in terms of cost and scope for prevention are through “human intelligence.” Given that this issue is emotionally and politically charged it’s important to reiterate: We may decide to put security at each layer of MOM. Security is designed in layers so a combination of measures is the most effective. To be clear, I am not suggesting we do nothing in the categories of Means and Opportunity. Rather, I’m suggesting we should have realistic expectations for each category and put our energy toward that which can make the most difference with the implicit understanding that an unfortunate fact of life is that we will never be able to stop all evil. Simply put there is no panacea. It’s important to show the strengths and weaknesses of the security solutions at each layer to prioritize and properly allocate resources where they will make the greatest impact.
By far the most fundamental, important, and most challenging layer boils down to people. We need to focus on us.