« RSA 2011: Mini-Metricon 5.5 and ABA InfoSec Committee Annual Mtg | Main | How to Fix the TSA »

The Great TSA Debacle: Groping for Success

There's been a veritable metric ton of coverage this past week over the TSA and their ham-fisted approach to security. This week's controversy is around the combination of back-scatter X-Ray scans and the introduction of "enhanced" pat-down techniques that, in some states, literally amounts to definitive sexual battery. There are an increasing number of anecdotes from people about abuses of the system, and a whole lot of attention placed on privacy issues. I'll provide some thoughts on those aspects, but before I did so, I want to hit what I think is the #1 reason why I think the TSA is wholly deficient in the area of airport security.

First, a word on terrorism: By abandoning the principles upon which this country is founded, and which make the US unique and special, the terrorists have won. Every time the bureaucratic geniuses here in DC make another idiotic and irrefutably clueless decisions like this latest round of lunacy, the objectives of the terrorists are achieved in ways the terrorists could have never accomplished on their own. It is our patriotic duty to refuse to be terrorized (http://www.schneier.com/essay-124.html)!


Stop It! You're Doing it Wrong!!

The current TSA approach is based on a logical fallacy. Their approach, as with legacy information security theory, is based on the premise that all threats can be blocked at the security checkpoint (aka "firewall"). Unfortunately, this notion of "perfect security" does not stand up to scrutiny, as has been demonstrated time and again by terrorists and cybercriminals who make subtle or remarkable changes in attack methods and end up being reasonably successful, at least in terms of breaching the perimeter.

There is no way to be completely secure. To achieve "perfect" (or 100%) security, the TSA would have to repel all attacks, which is simply not possible. Instead, they have been - and continue to be - highly reactive, well after the fact, to new one-time threats like the shoe bomber, the underwear bomber, the cargo mail bombs, etc. The problem is that the changes they've implemented, by-in-large, end up achieving the objectives of the terrorists without actually decreasing (or effectively mitigating) the threat. Instead, honest people are inconvenienced, or embarrassed/humiliated, or physically assaulted (see more below) in the name of "security" that is designed to say "look, we're doing something!" while that something ends up being more harmful to society at large.

Let me state this unequivocally: the expectation that all threats can be stopped is errant and dangerous. It is based on the logical fallacy that if we just stop all known threats, then we'll be ok (*ahem* AV, IDS/IPS, etc.). Unfortunately, as with firewalls that need to allow ports 80/443 (http/https) through, so security checkpoints must allow passengers through. That is to say that, by design, the perimeter is permissive. As a result, the only logical approach here is to shift away from increased investment in the perimeter and to alternative methods that rely on increased monitoring and awareness, and that promote an environment that is resilient to attacks and that can rapidly recover from a detected breach/incident. Until we make this fundamental shift in thinking, we will continue to suffer the same mistakes of the past, including the ongoing erosion of civil liberties and personal privacy.

What Should They Do Instead?

Rather than relying on perimeter-based security screening, the TSA instead needs to abandon their "perfect security" mindset in favor of a survivability model. It's imperative to accept that incidents will occur. A properly motivated attacker has far more options for being successful than the TSA has for defending against them. Time and again, as attack methods evolve, the TSA is shown to be fools, and for good reason. They need to shift to improved active monitoring, response, and investigation.

Beyond this, additional measures need to be added. All passengers should be interviewed prior to boarding. Agents (uniformed and not) should be physically present in terminals, applying good investigative techniques. Rapid response teams should be trained who can interdict a threat, as well as help with recovery after a breach. The key is in designing a resilient approach that is layered and that relies on intelligence rather than blind stupidity (e.g., making my toddler remove her shoes and then be subjected to either dangerous radiation or to an illegal groping).

Keeping the basic checkpoints (magnetometers and luggage x-rays) that are minimally intrusive should be maintained to help thin the stupid, but otherwise we need to instead look at monitoring the entire environment, building rapid detection, response, and resiliency into the environment and processes (the head of Amsterdam's Schiphol Airport, btw, agrees). Unfortunately, our mentality is one of "beating this thing" rather than one that is actually realistic and achievable: surviving.

BTW, Rep. John Mica, the Republican who will soon be chairman of the House Committee on Transportation and Infrastructure, is telling airports to dump the TSA in favor of hiring their own security force. Apparently the TSA was never intended to become a national airport police force... in a way, this is a bit of a cop-out on the part of politicians... they created this monster, and rather than reigning it in themselves, they are instead passing the buck to airports and citizens... nonetheless, it's very telling when politicians are in favor of alternatives...

"It's not an Israeli model, it's a TSA, screwed-up model," says Mica. "It should actually be the person who's looking at the ticket and talking to the individual. Instead, they've hired people to stand around and observe, which is a bastardization of what should be done."

And, of course, it doesn't help that the TSA leadership is clearly delusional and/or clueless...
"...screenings on passenger and cargo planes are on par with practices in European countries and less invasive than practices in other parts of the world." I don't recall being x-rayed or groped in any other countries in the past 5 years... true, I've never flown to Israel, but I have been through England, the Netherlands, Germany, and Greece, as well as India, Singapore, Mexico, and China... sheesh!

Is TSA Breaking the Law Today?

There is a ton of stuff online now discussing this issue. There have been prior rulings on the legality/Constitutionality, but there are now new issues to be discussed and tried. It appears that in at least some states it may in fact illegal to do the "enhanced" pat-downs on children (per colleagues, this story shows "a prima facie case of sexual battery of a child under Tenn. Code 39-13-505(a)(2)" - meaning, on the surface it appears that enhanced pat downs of children are by definition sexual battery).

Here are some other stories about TSA screener activities that reinforce this notion that some of these actions are likely illegal:
* "TSA - Sexual Assault"
* "TSA Fondles Women and Children Refusing Airport Naked Body Scanners"
* "Pilots told to avoid new airport scanners, "demeaning" pat-downs"
* "For the First Time, the TSA Meets Resistance"

The ACLU and EPIC are actively pursuing investigations and suits. Too little too late methinks. It seems clear to me that TSA is out of control and completely lacking appropriate perspective.

In terms of the legal basis for the screening checkpoints themselves, there are some open questions. Some states (e.g., Texas) actually prohibit blanket searches, which then raises the question of whether or not a federal agency is allowed to violate state law (this is fundamentally a Constitutional question that goes to States Rights).

Unfortunately, in terms of the security searchers, there's already considerable case law that allows the practice, and have concluded that airport screening (termed "administrative searches") is not dependent on a consent model. That is, once you choose to enter a security screening zone, you may not opt out of the screening altogether. This ruling is meant to protect security checkpoints from being tested by attackers. The logic fails me, but alas, we're stuck with the aging judges we have who live in a world devoid of a reasonable understanding of modern security practices.

There is, however, an interesting line of thought from United States v. Aukai out of the 9th Circuit back in 2007. In their ruling on blanket administrative searches (which, again, are likely illegal in some states), they said that "where the risk to public safety is substantial and real, blanket suspicionless searches calibrated to the risk may rank as ‘reasonable’-for example, searches now routine at airports and at entrances to courts and other official buildings." A couple of the key issues here are thus:
1) "the risk to public safety is substantial and real" - How substantial and real is the threat of someone walking through a security checkpoint, onto a plane, and causing major casualties? Ok, now stop for a minute, count to 10, and think about this rationally, rather than emotionally. Since 9/11, how many attempts in the US have been successful? How many breaches of security have occurred? I can think of 5 or fewer publicized incidents, none of which were successful, out of thousands of flights over the past few years. That's far less than a 1% rate of incidence. You're far more likely to get into a fatal car accident going to/from the airport!
2) "searches calibrated to the risk" - Tying into the first point, it seems like a LOT of money is being invested into these back-scatter scanners in order to hit the absolute fringe cases, all the while ignoring the other 99% of the airport through which an attacker might proceed. These efforts are not calibrated to the risk represented.
3) must be conducted pursuant to statutory authority - This is an interesting question. What, exactly, has the TSA been authorized to do? Does that authorization supersede state and local laws? Is the federal government and its agents and agencies above the laws of states? This would appear to be a fundamental Constitutional issue... putting aside their methods and clear lack of clue, is the TSA even operating within the confines of the law?
4) the search "is no more extensive nor intensive than necessary, in the light of current technology, to detect the presence of weapons or explosives [and] that it is confined in good faith to that purpose." - The sentence pretty much says it all here. Is the search reasonable? Is it confined in good faith to the objective being sought? More importantly, when you considered #1 and #2 above, is it even remotely necessary or appropriate? It seems the clear answer here is "no."

Examples of Abuse

Despite assertions to the contrary, we're already seeing immature behavior by TSA agents and blatant abuses of their authority and duties. Oh, and they've not been consistently hiring quality people either. So, not only is the screening approach completely idiotic, based on a logical fallacy, but they aren't even consistently hiring people who can conduct said approaches in a responsible and respectful manner.
* "One Hundred Naked Citizens: One Hundred Leaked Body Scans"
* "TSO saying "heads up, got a cutie for you""
* "TSA Agent: ‘I have to put my hand down your pants’, after which he did precisely that."
* "Facts Contradict That Image Scanners Can’t Save or Print"
* "Nude Body Scan Images Recorded, Leaked"

National Opt-Out Day

A "National Opt-Out Day" is being promoted for Wed. Nov 24th (historically the busiest air travel day of the year). While I'm loath to promote such a notion given that it will inevitably screw up my travel plans, I'm also in no way interested in giving the TSA a pass on this issue. We have been dealing with these morons for too many years. It is time to take a stand and begin actively resisting what is imprudent and unjust. For more information, please see:
* Official Site - National Opt-Out Day
* "TSA Opt-Out Day, Now with a Superfantastic New Twist!"
* "Drudge Stirs National Debate On TSA Abuse"
* "National Opt-Out Day Called Against Invasive Body Scanners"
* Site: The TSA Choice - "Would you rather pose for porn or be groped by a total stranger?"

And, btw, none of this even gets into the safety of these back-scatter machines... machines that the federal government has deemed safe, and yet for some reason won't let TSA employees where dosimeters to monitor for excess radiation exposure (even when the AFL-CIO volunteered to pay for the dosimeters and monitoring!)...

TrackBack

TrackBack URL for this entry:
http://www.secureconsulting.net/MT/mt-tb.cgi/1072

Listed below are links to weblogs that reference The Great TSA Debacle: Groping for Success:

» How to Fix the TSA from The Falcon's View
The latest burst of complaints over TSA are well-documented (see my coverage here). There's definitely a lot of merit to many of the arguments, not the least being that the focus on perimeter screening suggests a blind naivety that the... [Read More]

» You Can't Solve What's Undefined from The Falcon's View
It's all over the news, whether we're talking about the TSA and "security theater" or Wikileaks and the sensitive data spewing out of government, business, and academia (there's a certain irony here, btw, insomuch as much of this data has... [Read More]

Comments (3)

Daniel:

Very informative. I appreciate your insight and research.

g33ks3cur:

Ben,
No one wants to talk about the issue, but profiling would eliminate a lot of this silly stuff.

Using the firewall analogy...we profile traffic all the time. We might let port 80 or 443 out, but we block 31337/tcp because it is suspect. If it has a legit purpose it is let through after some scrutiny. Instead of stopping all the packets we really need to be scrutinizing traffic that has shown traits and history to being a threat.

Sure the 70yr old Nun "could" be a terrorist, but if we operate in that mode, then we will have to keep doing the same ole' same ole' groping.

Ben:

@Daniel - Thanks!

@g33ks3cur - Agreed, fully. Putting up a new post shortly that includes behavioral profiling in my list of recommendations. We're so scared of not being P.C. that we are literally making the country worse overall.

Post a comment

About

This page contains a single entry from the blog posted on November 17, 2010 12:42 PM.

The previous post in this blog was RSA 2011: Mini-Metricon 5.5 and ABA InfoSec Committee Annual Mtg.

The next post in this blog is How to Fix the TSA .

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.