ISIS made another troubling claim. In the most recent issue of its online publication, the terrorist group revealed a photo of what is allegedly a homemade bomb, which it says was used to bring down a Russian passenger plane over the Sinai Peninsula last month. The photo shows a soft drink can, along with components that look to be a detonator and a switch. If it is a bomb, it is an exceedingly crude device.
And that’s all terrorists need to bring down a plane.
The Metrojet bombing was a sobering reminder that the global aviation industry remains a primary target for terrorist activity. Since the 9/11 attacks, the aviation security apparatus has (rightly) expanded, with myriad technologies, processes and layered defenses to ensure terrorists can never again commandeer an airplane and use it as a weapon of mass destruction.
Yet despite hypersecure airplanes and airports, ISIS still targets the aviation sector. Why? After all, the odds of success would seem much lower than smaller-scale attacks on soft targets (as we saw last week in the coordinated attacks in Paris).
But what the Metrojet attack demonstrates is that terrorist planners have a devious appreciation for what’s called “attack utility;” that is, they know where an attack will have the greatest overall impact. ISIS, al Qaeda in the Arabian Peninsula and other groups are dangerous not just because they can make a bomb, but because they know where to put it to maximize the effect.
And the truth is, it’s not just about the body count.
For example, AQAP claimed responsibility for the downing of a UPS cargo plane after takeoff from Dubai airport in 2010. Not long after, a bomb disguised as a printer cartridge was slipped into the supply chain and discovered at Britain’s East Midlands Airport. In both cases, the goal was likely less about trying to kill the small number of crew aboard. Instead, such plots were likely designed to disrupt consumer and business confidence, causing economic harm and pushing nations to invest even more in their aviation security, slowly bleeding us dry as we spend billions to detect a simple explosive hidden in, for example, a five-cent soda can.
Osama bin Laden stated before and after the 9/11 attacks that two of the goals had been to cause economic harm and trigger reactionary spending, and subsequent attacks have shown terrorism can indeed hit a country’s economy; the 2004 Madrid bombing and the 2005 London bombings both drove down those countries’ respective stock markets. More recently, after the Charlie Hebdo attacks in January, there was widespread cancellation of reservations at Paris restaurants, bars and hotels.
Some countries have suffered an even bigger economic impact. Since the revolution that ousted former dictator Hosni Mubarak, Egypt’s economy, which has a large tourism sector, has been devastated. The tourism center of Sharm el-Sheikh had seemed to avoid the worst of the economic impact, but even that location is set to struggle after the Metrojet crash, with several nations suspending flights there.
Last month’s crash, assuming it was indeed the result of an ISIS bomb, highlights the key aim of terrorism: engendering fear. The suspected attack appears intended to send a message to Russian citizens that they are not safe in Egypt because of President Vladimir Putin’s actions in Syria. That compounds the economic harm to Egypt, while also reminding the world that despite all our security investments, terrorists can still penetrate aviation security.
How could ISIS have pulled off the bombing of a passenger plane? Analysts have speculated that an airport employee might have secreted a bomb aboard the plane. If that’s the case, it reveals (another) Achilles’ heel in our security system while sowing doubt among passengers about the people who are meant to be keeping them safe on their travels.
But if ISIS’ claims about a soda can-sized bomb are true, it also demonstrates that terrorist bomb makers can craft an explosive device from just about anything. As a result, the challenge for the security community today is less about looking for bad things as it is looking for bad people. In the case of Metrojet, there may have been at least one bad actor at Sharm el-Sheikh airport. Whether they were an employee or someone who managed to penetrate the secure areas remains to be seen. In any case, it is less important to worry about whether terrorists can hide explosives in a soda can (or any other seemingly benign item) than it is to worry about who will move that item through security and how they do it.
What does all this mean moving forward?
Security considerations should include employing randomized employee security screening and regular background checks to address the insider threat. Meanwhile, we should be cautious that we do not inadvertently give terrorists what they want by wildly increasing spending in pursuit of the ever elusive 100% security and changing our plans based on fear, because while we can reduce risk, there is no perfect security solution, a reality we should continue to stress.
Ultimately, people are as much a part of the system as the policies, processes and technology designed to protect them. And the choices we make on all these in the response to tragedy will dictate just how much utility terrorists can extract from their murderous actions.
This piece was originally published on CNN.