« Obama on His FISA Vote | Main | Non-Fiction Review: Ask the Right Questions Hire the Best People by Ron Fry »

The Absurdity of Physical Security Screening

As already mentioned, I had the opportunity to attend an Obama rally this week. Perhaps the single most intriguing thing to jump out at me from a security perspective was the security screening process. In addition to requiring everybody to get tickets in advance (thanks to the wife on that), we then had to stand in a line while everywhere filed through a number of metal detectors setup and run by the Secret Service.

Now, before I go on and give you a chance to consider me an idiot, bear this in mind: the tickets urged people not to bring bags because of security screening, but it never clicked with me (for whatever reason) that they would be doing airport-style crazy screening. In my own defense, when they walked us through security screens on the National Mall, there were no metal detectors and thus I didn't have an issue. This time, however, I was caught unawares, and it cost me... a pocket knife.

To provide the proper framing for this scenario you need to first understand the environment. The rally was held in a high school gymnasium with an estimated 2500 people. The bleachers on both sides of the court were opened, as well as part of the bleachers on the end court directly behind the speakers platform, with "VIP" seating in a specially cordoned off area in front of the speaker and then with media platforms and tables on the back half of the basketball court. The speakers' platform had open space padding it and a half-dozen suited Secret Service agents watching closely for anything suspicious.

In other words, arriving as close to the start time as possible while still being early enough to get a seat, Hanna and I were half-way up the bleachers on the side opposite the speakers' entrance and well away from the platform. In fact, I'd say we were a good couple hundred feet away. So, definitely not within arms reach, or even within decent throwing distance. Could I have thrown a tennis ball to the platform? Sure. Could I have hit the small podium with any degree of accuracy? Not in a million years. Anyway, you get the picture.

Back up now to the entrance process. After standing in line, having our tickets "validated" by volunteers who were checking to ensure that we'd written our names on them (apparently Hanna having to register for them in the first place wasn't good enough), we then entered through the front door and proceeded to get in line at the metal detectors.

These appeared to be your fairly standard detectors, with no X-ray equipment setup, but there were a few hand scanners circulating, just in case. In line we were told to have our cameras and cell phones power ON so that we can demonstrate that they worked. Nothing was said about liquids, nor about sharps. This is where I got fouled up.

In order to pass through the metal detector, I had to empty my pockets for the guards. When I dropped my keys and pocket knife into the guard's hands he said "What's this?" I told him it was a small pocket knife and he said "Well, there's no way that's getting through here." I said "Really? That little thing?" He was adamant and told me that I was welcome to take it back to my car (parked about half a mile away) or I could forfeit it. I told him there was no way I was walking back to my car, and then just waited for directions. After a couple beats of blank stares, I finally said "Well, take it, let's go, let's get through here." It's not like I wanted people behind me yelling at me for holding up the line.

The best part of this experience was when I got to the other side. I said the the white-uniformed Secret Service (Federal Protection Service) guy "Gosh, I didn't think for a minute that security would be this tight for a friendly rally." to which he retorted "Well, maybe you didn't hear, but this guy is running for president." I said "Yes, but it's a 1" blade, so not exactly a huge threat." His response was classic, and perfectly exemplifies what is wrong with physical security screening. He said, and I quote "Even a toothpick can be a deadly weapon." I wanted to retort, but instead, knowing that this was not the time for a philosophical debate, I just moved away, casting over my shoulder "Don't tell the TSA that!" :)

The Myth of Absolute Security
This tit-for-tat act with the Secret Service made it rather apparent that this guard viewed his job as entailing removing all threats to the man being protected. Unfortunately, he failed, and badly. By his own admission, something innocuous like a toothpick in the hands of the right (or wrong?) person could be a lethal weapon, just as every photographer, no matter how clean their background check, could snap some day and start assailing someone with their heavy rig (I mean, look, those things even have long straps to allow for a good solid swing).

The problem with this myth is that it not only sets one up for failure, but it also results in a focus on the wrong things. Instead of watching the crowd for suspicious behavior, instead they're focusing on whether that nail clipper might have a nail file with a sharp point. And for what? Is the guy sitting 150 feet away really going to be able to chuck his poorly balanced Swiss Army knife the distance so as to represent a real threat?

Now, in fairness, it's likely that the secondary mission of the guards was to provide for the safety of the audience, in which case you can argue that removing the knife is a good idea. However, in the grand scheme of things they're again choosing to focus on a very narrow threat rather than considering the overall threat landscape, picking off the larger concerns while structuring a risk resilient environment.

Focusing on Threats Instead of Risks
This matter of focusing on threats is really quite a fatal approach. Why? Because the number of threats are absurdly infinite. There is no possible way to prevent against all threats. No matter how smart you are, someone will think of a new threat. Moreover, even if you stripped everyone down and put them into orange jump suits and shackles, there's still a threat potential. In the grand scheme of things, you will never zero out the threat potential, just as you cannot eliminate all vulnerabilities.

Instead, you have to take a risk management approach to structure a risk resilient environment. To be fair, the rally environment was fairly risk resilient from my perspective. After passing through the metal detectors (and shamelessly forfeiting my pocket knife), we then proceeded into a gymnasium that was absolutely crawling with law enforcement and security personnel. There were multiple layers of barriers segregating the common people from the media, VIPs, and lastly the speakers. The likelihood that someone from the cattle class where we were seated would be able to breach these multiple zones without first being intercepted was extremely low.

This layered security approach (defense in depth, really) is the crux of a quality risk resilience approach. They didn't simply rely on one security countermeasure, but instead used multiple approaches (including a bomb-sniffing dog) to ensure that the overall risks were as reduced and manageable as possible.

Given this knowledge, however, you then must put the metal detector screening into perspective. Did confiscating my small pocket knife actually reduce the overall risk profile for the event? It barely registered in the grand scheme of things. While this guard likely felt self-satisfaction in being a hard-case smart-aleck, his threat-based focused was ill placed and really served 2 key negatives: it annoyed me, causing me to write this blog post, and it forced his people to focus on basic threats instead of looking for larger, more significant threats.

The Case for Behavioral Profiling
As mentioned, law enforcement had a dog walking the halls, sniffing for danger. In this case, it was a handsome German Shepherd, who could have likely been very intimidating. What I found interesting is that we didn't see the dog in the line coming inside, but rather back along the bleachers and near the restrooms. Maybe this was just happenstance, but it seems to me that you probably want a couple dogs prowling about, with one wandering through the crowd, with the intent of making certain people nervous. Moreover, a few of those Titans from the personal protection unit wandering about, not speaking, with reflective sunglasses and a stern, intimidating look, evaluating people in line would have made for a very impressive show of force.

Behavioral profiling seeks to put people under duress a little, just to see how they'll respond. In some airports, such as Amsterdam's Schiphol, you get interviewed before being allowed to enter the gate/boarding area. The questions are direct and intended to rattle you. The inspectors want to see you squirm so that they can register whether or not you're telling the truth.

In larger crowds such as the rally, interviewing individuals is not particularly realistic, but having experienced profilers wandering the crowd in civilian or relaxed attire "chatting" with attendees could accomplish much of the same goals. Combine this with a few stress factors, such as the metal detectors, dogs, and a few Titans and the effects could be quite beneficial.

The danger with behavioral profiling is that it is often lumped in with other profile methods (racial profiling, in particular), and thus represents a case of throwing out the baby with the bath water. Also, it's a skill that requires training and experience. You cannot simply ask a minimum wage TSA screener to start doing behavioral profile with minimum training. Profile is more than simply asking questions, but is also a matter of reading people and understanding what you should and should not be looking for.

None of this is to say that behavioral profiling should replace basic precautions like metal detectors, but it would supplement it in a manner that would allow the screeners at the detectors to be less focused on specific lame threats like 1" blades and instead focus on the true idiots (e.g. people with guns and large knives).

Playing the FUD Card
The biggest problem with physical security is the drama of security theater as played out by using Fear, Uncertainty, and Doubt (FUD). The FUD card is magical and is much abused these days. One could even go so far as to argue that the amount of FUD eschewing from the federal government is tantamount to terrorism in that it serves to terrorize people into blind compliance with blatant stupidity.

The Secret Service guard's comment about the toothpick is a perfect example of FUD. He assumed that I was an idiot because I forgot to take my pocket knife out. I assumed that he was an idiot because, well, he thought that my knife represented a significant enough threat to warrant action. In the end, he wins because he has the power - the power of intimidation and the threat of incarcerating me for being me. Anyway... the point here is that the use of FUD correlates strongly to the story of The Little Boy Who Cried Wolf. If everybody and everything is a threat, and security is seeking to eliminate all threats, then at some point you simple deny all access, and it makes for a very poor rally. Tradeoffs have to be made, and smartly. Making arguments based on abstract fears simply muddy the waters on what could be a far less complicated situation.

It is incumbent upon us to identify these uses of FUD, particularly in physical security screening, and call the disseminator on it. Does this mean you should pick a fit with the TSA or Secret Service? No, absolutely not. But, you should be reporting issues to your elected officials, urging them to enact changes that would reduce the level of stupidity. To the person making the FUD-ful comment, you should simply give a flat response of "I think you're overstating the risks here." and leave it at that. They won't likely understand what you're talking about, but that's a different issue for a different day (wouldn't it be funny, ha ha, if these people had CISSPs... eesh...).

A Call for Sanity
As usual, my request to you is to REFUSE TO BE TERRORIZED! More to the point, it's time that we start demanding more sanity. The U.S. has become far too fractious and partisan over the past 8 years (thanks a lot Rove+Bush+Cheney). It is time that we call for a return to sanity and a doing away with all the idiocy that serves to annoy us without any real benefit to security. Do not except statements by the DHS and TSA that insinuate security improvements when they are merely smoke and mirrors; security theater meant to make you feel better while in the meantime making everyone less secure. Demand the best, most sensible security measures.

It's 2008, which makes it an election year. Have you asked your elected officials where they stand on these issues? Are you holding them accountable? Don't miss your opportunity to register your complaints and beliefs.

TrackBack

TrackBack URL for this entry:
http://www.secureconsulting.net/MT/mt-tb.cgi/725

Post a comment

About

This page contains a single entry from the blog posted on July 11, 2008 9:29 PM.

The previous post in this blog was Obama on His FISA Vote.

The next post in this blog is Non-Fiction Review: Ask the Right Questions Hire the Best People by Ron Fry.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.