« Wow, 3 Years Went Quickly | Main | DIRECTV's Billing System of Doom »

Newark Breach Hype to Hysteria

A man recently slipped through the airport security exit at Newark to accompany his girlfriend to the gate. TSA typically has a guard or two stationed at these exits, but in this case the guard had wandered away, leaving the exit unattended, leading to the "breach" of security. The man has since been identified and arrested, and he faces trespassing charges in the State of New Jersey. That's right, there's no federal violation here, nor is there in fact even a major violation of law. He simply ducked a rope and walked the wrong way so he could spend a few extra minutes with his girl.

The way the media tells it, you'd think he was the Antichrist bringing the Apocalypse. On the heals of the failed Nigerian Underwear Bomber the masses have already been whipped into a frenzy. This incident just takes that to the next level. Check out these news stories about the incident, paying close attention to the "average citizen" interviews at the end. Note the panic, the hysteria, and - in particular - how very low frequency events like this are met with shock, outrage, and outright hysteria. The mother escorting her son to his first international flight stood out for me as the most indicative of the problem. See Schneier here for his thoughts on the knee-jerk security theater reactions to incidents.

To me, the failure was not the guard being absent from his station, nor was it even the guy who wanted to spend every last second with his girlfriend. The failure was in the security design itself. Specifically, airport security lacks any real redundancy to it. This failure is a lot like No Child Left Behind, really, if you think about it. You have high stakes testing that is almost completely meaningless, yet when it fails you're left almost completely exposed and broken. There's relatively little compartmentalization, there's no resiliency to failures, and there almost seems to be a delusional belief that all breaches can be prevented, all of which leads to punishing the majority of people for the failings security and the actions of the extreme minority; hype that is further amplified by the media and politicians who feel pressured to "do something."

Redundancy and Resiliency
This failure was trivial, and yet it resulted in a major lockdown and re-screen reaction from the TSA. Basically, the the TSA screening checkpoint is the ONLY control into the so-called "secure area." If this control fails, then you have to flush it all and start over. How absurdly ridiculous.

A better design would be to deploy multiple tiers of controls. These tiers could include simple "quick" screening through metal detectors, etc., supplemented with roaming patrols, and then further supplemented with follow-up screening at gates that is more distributed and intelligent. There should almost never be a need to shutdown an entire terminal or wing as a result of someone slipping through a single checkpoint.

More importantly, the up-front screening process should be designed for speed and efficiency. All this talk about adding more screening measures up front are simply absurd. For example, these "full body" scanners would not have caught the "underwear bomber" (see more from Schneier here). Why are we taking off shoes? Why are we worrying about coats and belts and rings? The fact of the matter here is that the TSA is wasting a lot of time looking for the wrong things in the wrong places in the wrong way. All in a scenario of high-stakes testing, where their expected level of performance is unachievable.

100% Security vs. .000000001% Breaches
The core problem with airport security today is that there is an irrational expectation that airport security can be 100% effective. Unfortunately, this is nowhere near reasonable or true. More importantly, attackers need only succeed once. Basing off this faulty premise actually introduces more risk into the overall system due to putting too much value/importance on the single high-stakes test.

Distributing and layering the defenses is a much more sane approach, as is operating under the belief that breaches will occur and focusing on how to compensate for those breaches with secondary or tertiary measures. The last line of defense is the crew and passengers, and we now know that this line of defense is pretty good in the face of a real, realized threat.

In infosec we balance countermeasures against threats with practices that reduce vulnerabilities. A similar equation must be taken by the TSA, with a specific eye toward survivability rather than some mythical dream of "absolute" security that inconveniences law-abiding citizens without stopping malevolent forces.

Punishing the Masses: Creating Ill-Will
I often wonder if anybody in government thinks about the consequences of their actions. At some point, people will overcome their fears and realize just how badly they're being treated due to a very small number of bad eggs. More importantly, abuse is heaped on us in a way that is ineffective and oftentimes imbecilic (such as TSA confiscating Play-Doh from a child in New Orleans). In many ways, it's almost malicious and capricious, which further infuriates people. At some point, folks will simply not accept or deal with it any more, and they will either rebel, or they will go somewhere else (just what the airlines need - fewer customers, right?).

Manufacturing and Amplifying Hype
The media+politicians are generally to blame for these problems. They just love to generate and build on a platform of FUD. You see, it turns out that scared people are far easier to manipulate than sober, sane, and rational people. We need to work aggressively against this abuse of power and resist the urge to be fearful. Humans seem to be especially sensitive to low-frequency events with a potential for being high-impact. We need to be very careful that we don't simply flail about in the face of such things as it legitimizes the terrorists and their actions. We are consenting to be terrorized, empowering those who have no real power over us. This is a dangerous practice.

Doing Something, Just Not the Right Thing
All of this flailing about leads to the inevitable: doing something rather than doing the right thing. If we're running scared, then our emotional state will undermine our ability to make good quality decisions. We need to abstract out the response from the emotions so that we can develop sane and reasonable responses (assuming ANY response is needed - sometimes it's not!).

Unfortunately, politicians are the squeaky toys of mainstream media, tending to blurt out "solutions" in the face of FUD, hype, and stoked on fearful emotion (their fear is typically of losing elected office for lack of "doing something"). It is far better to do something well and proper and right than it is to do things that are blatantly idiotic and that will have a negative impact on the overall goal.

Incidentally, what exactly is the goal of airport security? Is TSA achieving, or even working effectively toward, this goal? Check out the TSA Mission, Vision, and Core Values and decide for yourself.

Updated: Here's a new post from Schneier on the underwear bomber and the likelihood of humans to overreact to rare threats...

TrackBack

TrackBack URL for this entry:
http://www.secureconsulting.net/MT/mt-tb.cgi/980

Post a comment

About

This page contains a single entry from the blog posted on January 11, 2010 4:30 PM.

The previous post in this blog was Wow, 3 Years Went Quickly.

The next post in this blog is DIRECTV's Billing System of Doom.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.