Fixing Security Issue Isn't Always the Right Answer

Trailrunner7 writes "In a column on Threatpost, Bruce Schneier writes that the recent security breach at Newark Airport shows that fixing a given security problem isn't always the right move. 'An unidentified man breached airport security at Newark Airport on Sunday, walking into the secured area through the exit, prompting an evacuation of a terminal and flight delays that continued into the next day. This problem isn't common, but it happens regularly. The result is always the same, and it's not obvious that fixing the problem is the right solution. American airports can do more to secure against this risk, but I'm reasonably sure it's not worth it. We could double the guards to reduce the risk of inattentiveness, and redesign the airports to make this kind of thing less likely, but that's an expensive solution to an already rare problem. As much as I don't like saying it, the smartest thing is probably to live with this occasional but major inconvenience.'"

Re:Overreaction

[LostCluster]

Well, in a "sterile" security zone, one unapproved person can ruin everything. Even if you find him/her, they may have given an weapon to somebody else who was screened earlier and passed. Yep, you've got to clear out the zone, verify there's nothing hidden, then rescreen everybody.

Re:Huh?

[fiannaFailMan]

This problem isn't common but it happens regularly.

So what you are saying is that it is common?

Regular != common. Halley's comet makes regular appearances (every 75 years or so) but you wouldn't say it's a common occurrence, would you?

Re:Here's how you fix the TSA problem

[FooAtWFU]

This won't work for one reason: The employees will fear for their jobs and not report dangerous incidents.

Re:Overreaction

[tiberus]

Guess, that depends on how the problem occurred?!? What security measure failed and why? Is it as simple as someone just being human, lack of education?

We seem much too willing to spend too much time and money to solve problems where the cost-benefit ratio is all wrong. I want to be safe but, I want to live my life. I would like a bit more life at the cost of a bit less safety. I don't feel safer, I just feel annoyed.

That's a really stupid idea!

[Dr. Spork]

The fact that a routine error can cause major institution like an airport to grind to a halt is a sign that its operating procedure needs to be revised. It's stupid to just live with it when there are alternatives

For example, there's been a lot of recent talk about updating our airport screening to look more like Israel's [thestar.com], where they've been thinking about terrorism a bit harder and longer than we have. I'm sure there are other alternatives too. However, remember that the point of terrorism is to cause fear and economic loss to industrialized countries, and to bait us into a self-destructive overreaction. By that standard, they guy who walked through the wrong gate pulled off a pretty impressive piece of terrorism, at basically no real risk to himself. You don't want to enshrine a system where this sort of exploit is possible, or else every group with a quibble can hold an airport hostage.

Re:Death is not an inconvenience?

[couchslug]

"It may be costly - but put it this way - how much is your mothers life worth? Your wife? Child? yourself?"

I and they routinely risk life and limb every day driving to work or seeking medical care, and note that resources consumed by one effort are not available for others.

We are much more likely to die in an auto accident, die of hospital borne infection, or die of hospital borne infection after an auto accident than to be greased by Hadji the friendly Jihadist.

Re:Overreaction

[Trepidity]

Is it even possible to "verify there's nothing hidden"? You can hide a small knife, or small bit of C4, pretty much anywhere--- taped under a bar stool, in a potted plant, etc.

Re:Overreaction

[despe666]

Have fun getting your luggage through that thing.

The whole thing is nuts

[mschuyler]

We've had airport security for decades. When did it start? Early seventies? The only time we needed airport security to work, it didn't. Why do we have to shut down an entire airport because one hapless person entered the wrong room? It's a terrible over-reaction, making us all look like wusses. It's like seeing people freak out because they see a spider. Big deal. Take the spider outside, end of story. No evancualtions. No freak-outs. No delays.

The thing is, the last time we had a real incident, at Christmas, the guy managed to get on and do everything necessary to kill a few hundered people. Only the incompetence of the bomb maker saved the plane and the guy burned his nuts.

So what did we do? Throw him in jail. Get him lawyered up so he won't talk, and THEN our illustrious Czar of Homeland Security gets up and says, "The system worked."

WTF????? Just WHAT about the system worked? What is she smoking?

It did NOT work. It was epic fail. With all these regulatons, with all this taking your shoes off, go through the detectors, 3 oz of liquid max, the delays, evacuations, and freak outs over nothing, the system still is epic fail.

Wait, haven't I heard this before?

[Locke2005]

"Fixing security issues isn't always the right answer." Haven't I heard this before... from Microsoft?

Re:Here's how you fix the TSA problem

[Attila Dimedici]

I've got a better solution. Change it back to where the airport screeners work for the airlines (like they did before 9/11). Then the TSA sends people out to test airport security and fines the airlines when they find security breaches.

Re:Bruce, you're out of your comfort zone

[Anonymous Coward]

I disagree. Mr. Schneier has written at least one entire book, IIRC, on social issues surrounding security. After 'Applied Cryptography', he realized that any good crypto system is useless if the surrounding system, which includes the people and their behaviours, isn't taken into account.

I suspect he's done more thinking on these topics than nearly anyone posting in this thread, including myself...

Sep 11

[nsayer]

I take it a step further.

The security theater that has been implemented since 2001 has raised the cost (in dollars, time and convenience) of air travel enough to divert enough travelers to the nations highways that I posit that we as a nation have suffered more death and injury than had we reacted to the Sep 11 attacks by literally doing nothing at all.

We kill more people on the roads annually than more than 15 such attacks would have done.

Meanwhile, UBL's grand master plan stopped working even before the last airplane was grounded that day - the passengers found out that the rules (give hijackers what they want and you get out alive) had changed and the last plane did not make its target. And because everybody knows the new rules of engagement, that plan will never work again - regardless of any changes (or lack thereof) in government policy.

There are exactly 3 things necessary for airport security:

1. Make sure that no luggage gets on the plane without its associated passenger (you can't blow up the plane without going along for the ride).

2. Metal detectors to keep guns out. The alternative is allowing anybody to carry, thus insuring the entire plane will wind up swiss cheese if any funny business starts. That's a less than positive outcome, IMHO.

3. Lock and bar the cockpit doors for the flight's duration.

And for extra credit

4. Research applying the military's UAV technology to the air transport system. If enough improvements can be made in assuring positive aircraft control, there's no reason the flight deck as we know it needs to exist on the plane at all.

Re:That's a really stupid idea!

[SoTerrified]

The Israeli system mostly works because of one thing... Racial/cultural profiling. Oh, they'll tell you they look in people's eyes for signs of evasion or shiftiness, but if you watch for a short while, you'll notice that the 'random' people they pull out for further screening have certain things in common...

And you know what. I'm not sure it's a bad thing. Let's be blunt, for all our political correctness, the vast majority of bombers do have certain cultural commonalities. No system is perfect, but if you can focus more attention to the highest risks, you get a more efficient system. That's why their system works. Speaking for myself, as someone who is pretty much the opposite of what they are looking for, I walked through security in minutes. Is it fair? Well, no, but it's hard to argue with the results. A location that is FAR more likely to suffer from terrorist attack is safer and much more efficient at protecting themselves than those of us in North America.

Re:That's a really stupid idea!

[Chicken_Kickers]

I agree. As a non-American, and a Muslim at that, I am regularly surprised and somewhat amused at the reaction of the US every time an air port security breach happened. I mean, stop and take a step back to look at the whole picture. Here we have the most powerful nation on Earth, with enough nukes to glass every major city on the planet and with aircraft carriers whose jets out number most third world nation's air forces, being afraid of people getting lost or with their pants on fire. I think al-qaeda or whoever they really are, very quickly realized that they don't even have to try very hard to send the US into a fear-over reaction-panic infinite loop, hence the "pants on fire" "bomber" (I don't even think that this term applied to him). By provoking the US to attempt to cover every possibility, eventually all its resources will be stretched thin while at the same time, innocent people will get caught in the net, increasing the noise to signal ratio not to mention animosity towards the US. Go ahead and adopt stricter screening procedures all you want, especially from Israel, that shining beacon of democracy and equality. It will only add to one more reason why people won't want to go the US. History (China, Japan etc.) has shown what happens to countries when they turn turtle and shut their borders.

Re:Overreaction

[vlm]

This is why there's a wait before the first person is let in. The staff in an airport are trained to look under every seat, etc.

Unless, of course, his accomplice was one of the staff. How hard is it to get a job as a baggage handler, a flight attendant, a contracted guard, or those check in people? Probably not too hard. Or, someone else sneaks in with fake uniform and ID, then F around while holding the goods while everyone else in uniform is "searching the zone" then hand "it" back once regular travelers are returned and sneak back out, thus eliminating the job interview/background check/hiring phase.

Also assumes they didn't sneak a screwdriver in to unscrew the .. whatever .. and hide something inside or behind the .. whatever .., and leave the screw loose enough to remove by hand. Like an air duct, or an electrical outlet, or plumbing access panel, or computer thingy...

And you can't seriously tell me that every boxed item in the gift shop was opened and searched. Or even more sneaky, buy an item from the shop, take it home, stuff what you want in the item, someone else sneaks it back into the store (reverse shoplift), you buy the same item again, now with extra something. Or really special bottled water. Etc.

I wish you weren't an AC

[Firethorn]

Good thing you got modded up - I wish you'd posted this logged in, because it's a good point.

We've gone so far overboard on security that our own security responses often exceed the costs that an actual attack would impose.

One dude, maybe a thousand dollar fine/couple days in the clink, can shut an airport down for much of a day, costing millions. Classic asymetrical warfare.

Heck, the terrorists have already switched from attacking the secure areas to attacking the approach to the secure area. Ever seen the queue to get into the secure airport area? I have a nasty imagination. Just take a suicide bomber, no need for a plane ticket, and have him approach the security area like he's got a ticket and is going to board. Then detonate when in a particularly crowded spot. Heck, he could even have a fairly massive 'carry-on' filled with explosives.

Then again - if I was a terrorist I wouldn't be looking at transportation right now. That's where we're looking. I'd look elsewhere for my targets.

Re:Overreaction

[Anonymous Coward]

*much* larger to accommodate something which regulations prohibit from being larger than 2-feet wide?

And RTFA, the problem with guards isn't hiring them, it's making them pay attention. A closed door that they need to push a button to open infrequently is perfectly acceptable for that. The guard remains bored and inattentive, except the few times when someone requires him to push a button.

Re:That's a really stupid idea!

[Xeno man]

Actually it's been show that profiling makes things less safe. Let me explain. There is a limited amount of resources to thoroughly inspect everyone. Most people like yourself get waved through. Lets say about 5% of people get the special treatment of a full inspection. That only changes when you either hire more staff to do more or choose not to inspect as many people as possible meaning less inspections. Now lets start profiling and devote 4% to Muslims and shifty eye people and the nervous looking lot and still do 1% random inspection just so they can't call us raciest. Want to know if your being profiled? Just start flying. Fly all over and see how often you get the special treatment. If you get pulled aside a few times, your probably not the best choice for carrying the bomb or knife or what ever. Now if you get waved through all the time you know your not being profiled and have a much better chance of bringing something on board that isn't allowed. Before you had a 5% chance of being inspected but now there is only a 1% chance. Seems less safe to me.

Re:That's a really stupid idea!

[QuantumRiff]

Um, you do now that casualty-wise, in the US over the last 20 years, a large percentage of Terrorism Victims are from White Militia members, right? Between Timothy McVeigh in Oklahoma City, and The guy at the Atlanta Olympics... (which only killed one person, and indirectly...)

Re:Death is not an inconvenience?

[dissy]

It may be costly - but put it this way - how much is your mothers life worth? Your wife? Child? yourself?

Obviously they are not worth very much if any of them step outdoors, or drive a car, or are present in a metro city, or do any of the hundreds of daily activities that have a much much MUCH higher chance of killing you.

In 2008, the number of American who died from a terrorist attack was about 260.
All of those except 4 were NOT in the USA. [1]

4 deaths from terrorist attacks in an entire year on US soil.

Also in the whole year of 2008, there were 37,261 deaths from auto accidents. [2]

You are 9315 times more likely to die from an auto accident, be it one you caused, one someone caused into you, or you are walking down the street and two other motorists bring the accident to you on the sidewalk.

That is almost 4 orders of magnitude higher!

For every person killed by a terrorist in this country, nearly 10,000 people are killed by a car in the exact same amount of time.

If you willingly put yourself and mother and wife and child in the situation of 'being out doors' then clearly you value them and yourself 1000 times less than if a terrorist attack was your only concern.

My question to you is, why are you so willing to spend a million dollars to stop a terrorist attack, without spending the equally valid and necessary ten billion dollars to have all cars banned and removed from the roadways?

References:
1 - http://www.infoplease.com/ipa/A0001454.html [infoplease.com]
2 - http://www-fars.nhtsa.dot.gov/Main/index.aspx [dot.gov]

So Where are the S.O.Ps for this?

[Anonymous Coward]

Ok I worked as a policeman at a major UK airport when we had a multi-axis threat from the Middle East and Northern Ireland.
I am astonished that such a response could have been considered.
We frequently had perimeter breaches when passengers, protesters or general members of the public thought it would be a good idea, fun or political to go where they were not meant to. Our S.O.P was:
Find and detain the person using total CCTV coverage.
Ascertain the reason for the breach and from that the treat level.
From the step above the S.O.P that followed was, in 90% of the cases as follows:
Examine the high quality CCTV footage of the persons movements. (You do have high quality CCTV of all corridors and areas don’t you?)
Send in an Explosive Detection Dog (You do have them on 24 Hrs a day don’t you?) to follow the route of the intruder.
Carry on as normal.
Now this is a very simplistic synopsis of a very complex set of procedures but it expresses the mentality of the approach.
The option to close any airport or even a very small part of one was only called as part of a detailed ordered S.O.P and given the HUGE costs and resultant chaos a very last step in the process.
It seems to me that the Newark operation, both security and operations are still woefully lacking in pre-planned structured S.O.Ps

Re:That's a really stupid idea!

[Simetrical]

Um, you do now that casualty-wise, in the US over the last 20 years, a large percentage of Terrorism Victims are from White Militia members, right? Between Timothy McVeigh in Oklahoma City, and The guy at the Atlanta Olympics... (which only killed one person, and indirectly...)

Have you gotten up to 2,973 killed by white militia members, and more than 6,000 wounded? Because that's how many people some Arab Muslims killed in one day a few years back. I think it's safe to say that Arab Muslims are a bigger terrorism threat than white militia members right now. (Although both are of course much smaller threats than, say, getting killed in a car accident.)

Re:Sep 11

[bugs2squash]

As long as it's not the Alfred P Murrah Federal building.

Anyhow, why not have both, a pilot in the plane and a pilot on the ground crew ready to take over, or even just assist, by remote control should the need arise

.

Re:I wish you weren't an AC

[Anonymous Coward]

Then again - if I was a terrorist I wouldn't be looking at transportation right now. That's where we're looking. I'd look elsewhere for my targets.

Strike at the 'Great Satan's' pride. Fly a small plane full of explosives into the Statue of Liberty. I wonder how 'free' the average American will feel when Lady Liberty is face down in NY harbor.

Take a small plane (perhaps stolen that night) from New Jersey or Pennsylvania, load it with barrels of white powder (anthrax optional, you're going for panic here, not deaths) and fly east hugging the ground, cross the Hudson and fly along 42nd street, dropping the powder as you go.... on New years Eve. The panic would be immense, containment would be difficult at best, you'd have International news coverage.

Get a couple of old cars, load them with various chemicals, drive into the Lincoln or Hudson tunnels, and boom! Instant panic, instant gridlock as everyone in the city tries to leave all at once, and with one of the main routes out closed.

Get a portable tank of some sort, apply a misting nozzle, fill with water (bio weapon optional again), pressurize, and hook onto the back of a subway train just before rush hour. How many stations will it go past, spraying god-knows-what in the air before someone notices it and the cops shut down the subway?

Yes, as these simple examples show, it would be easy for terrorists to... well, terrorize. Even without going near a commercial airport.

Thank god those goat-fucking idiots can't seem to get their asses in gear.

Re:It's The Money

[cpghost]

The cumulative effect of all those wars is that they also breed more terrorists. This terrorism hydra needs resentment caused by the civil casualties we're (un)happily providing where ever we're fighting, to regenerate itself again and again.