Schneier on Security
A blog covering security and security technology.
« The Doghouse: Internet Security Foundation |
| The Electronic Privacy Information Center (EPIC) »
December 14, 2004
Security Notes from All Over: Israeli Airport Security Questioning
In both Secrets and Lies and Beyond Fear, I discuss a key difference between attackers and defenders: the ability to concentrate resources. The defender must defend against all possible attacks, while the attacker can concentrate his forces on one particular avenue of attack. This precept is fundamental to a lot of security, and can be seen very clearly in counterterrorism. A country is in the position of the interior; it must defend itself against all possible terrorist attacks: airplane terrorism, chemical bombs, threats at the ports, threats through the mails, lone lunatics with automatic weapons, assassinations, etc, etc, etc. The terrorist just needs to find one weak spot in the defenses, and exploit that. This concentration versus diffusion of resources is one reason why the defender's job is so much harder than the attackers.
This same principle guides security questioning at the Ben Gurion Airport in Israel. In this example, the attacker is the security screener and the defender is the terrorist. (It's important to remember that "attacker" and "defender" are not moral labels, but tactical ones. Sometimes the defenders are the good guys and the attackers are the bad guys. In this case, the bad guy is trying to defend his cover story against the good guy who is attacking it.)
Security is impressively tight at the airport, and includes a potentially lengthy interview by a trained security screener. The screener asks each passenger questions, trying to determine if he's a security risk. But instead of asking different questions -- where do you live, what do you do for a living, where were you born -- the screener asks questions that follow a storyline: "Where are you going? Who do you know there? How did you meet him? What were you doing there?" And so on.
See the ability to concentrate resources? The defender -- the terrorist trying to sneak aboard the airplane -- needs a cover story sufficiently broad to be able to respond to any line of questioning. So he might memorize the answers to several hundred questions. The attacker -- the security screener -- could ask questions scattershot, but instead concentrates his questioning along one particular line. The theory is that eventually the defender will reach the end of his memorized story, and that the attacker will then notice the subtle changes in the defender as he starts to make up answers.
Posted on December 14, 2004 at 9:26 AM
• 19 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I think you've identified a key dynamic, and we need to find more opportunities to turn this dynamic in our favor, e.g., push the problem upstream into the adversary's planning and staging phases or lure the adversary to a honey pot. I suspect there are some generalizable, reusable patterns here that a little thought and gaming would reveal.
I would have thought a simple defence (on the bad guy's part) against this would simply be to have an "open" reason to be travelling as well as the "hidden" one, which essentially means just having a much better cover identity (or even a cover "life").
It's often said, after all, that the key to a good lie is that it's very close to the truth.
On the other hand, what about the woman (Alice) who is legitimately planning on going to Israel, meeting a she knows there (Bob), and then hanging out with him, and letting him take her on touristy trips and such of his choosing. She gets to a point where her story ends, and she doesn't know what she's going to do.
"I'm meeting my boyfriend, Bob, at the airport. Well, I was supposed to, several hours ago, when I landed. I don't remember his address or phone number -- they're in my purse, but you took that. I'm not sure what we were going to do -- he was going to take me to dinner -- I think he said an Italian place?"
"Well, that's a very convient, Alice. You can't answer our questions, so we can't judge your answers. Very convient. Boys, take her away!"
PS -- Counsouling us to lie about our name and email address if they are required for no good reason, and then requiring them for no good reason, is a nice touch.
One thing to remember is that it is not the answers alone which are being judged, but also the way the answers are given. If the passenger with a memorized story all of a sudden has to start making things up, he will likely give clues to that which a trained examiner will pick up. So this technique will only work well in the context of "Behavioral screening."
A novel approach at resolving a new dynamic on an old problem. How could we apply similar principles to the electronic realm? It seems that the key principle is the role reversal whereby the malicious 'attackers' get put into the role of the 'defenders', the analogy tends to break down when we start to talk about packets instead of people.
As an aside, I strongly believe that the industry needs to find ways to solve security problems without infringing on privacy. What if I had a valid reason not to give my story to an airport worker? The privacy/security tradeoff is not acceptable by principle- as it will only continue to emphasize the dangerous precedence that the industry has been setting, eroding civil liberties in the name of security; be it digital or analog.
Yes, well, this was my point when I responded to your post on the TSA (http://www.schneier.com/blog/archives/2004/12/airline_securit.html)
Israeli Security is efficient in the way it handles traffic load, yet it seems to be reasonably effective in maintaining security in the face of constant attack. In fact, I have been amazed over the years at how quickly some are whisked through ElAl security, while others are detained or removed.
Say a passenger decides to lie to the interviewer - but not because he is a terrorist. He might be flying to see his mistress, but certainly wouldn't want to reveal that he is cheating on his wife. His lying would put on him suspicion of terrorism nevertheless.
This interview tactic seems like it could be all to easily abused as a violation of privacy. Is the passenger required to answer the questions? What kind of questions are allowed to be asked of him?
In general, I'm not sure this Airport Gestapo is the best way to secure planes.
I went through the screening process to get into Israel a few years ago, in late 1999. It was a "quiet" period for terrorism, but the interview process was quite long. And it happened at the departure gate, in Spain, and not at the arrival (it was an El-Al flight).
I was asked for the whole story behind the trip: why I was going through Spain (I had departed from Brazil, there are no direct flights), why I had Spanish phone numbers in my PDA (my company's headquarters were in Madrid), was anyone in Israel expecting me (yes, a software company), were they listed in the Yellow Pages (how should I know?), why did I have a CD-R labeled as "Windows 95" with me (to test their software with the Brazilian version of Windows) and so on.
They even "borrowed" my PDA for a few minutes and called people in Spain and Israel to check my story.
Needless to say, I wasn't a terrorist and was allowed through. I felt very nervous during the whole process, tough; it's not comfortable at all.
And, to top things, they misplaced my bag. It was delivered to my hotel three days later...
There are valid reasons for not telling anyone who you are visiting at your destination. Nearly all of my "customers" (I'm a researcher at a national laboratory) are classified. When I visit them I can only tell my wife what city I am going to and what hotel I'm staying in. My specific business and who I am visiting are given only to those with a "need to know" which tends to be a very small group of people. Presumably there would be a way to check out my claim that I have a security clearance and my employer (the lab) would be able to validate my claims sufficiently to get me past my interrogator.
I think this idea could go a long way towards ridding us of those pointless searches.
Israeli airport security has changed over the past 6 months. I left Israel in September this year, through the old airport terminal. It took me an hour and a half to go through security, 2 staff were asking me the old, where did you go, who did you see questions. I'm used to it now, I'm a journalist, I've been to Syria, I've been staying in Nablus, these guys are just doing their jobs. A Syrian visa sets off alarm bells, and I've had 3 hour sessions before. At least they aren't shooting at me. (Let's not get into the number of civillian deaths caused by Israeli counter-terror.) But now, late November, they have a new terminal building. I was through security in 15 minutes. I have the same incriminating visas in my passport, I've been staying in the same places, my equipment is the same. The only visible changes are new x-ray machines, and fewer staff. I don't think this is atypical of the new setup, a friend got through in about the same amount of time, even though she's married to a Palestinian refugee. Either they're getting lax, ot they have a weird new technique.
It's a good idea. The interviewers should be trained to recognize certain anomalies in behavior or story. It's like the trick questions on a psychological exam. "Do you ever get angry?" Any normal honest person will answer yes. Someone trying to hide something would say no. A series of questions like that can be very revealing. Any ordinary person may have perfectly valid reasons for saying "I don't know where we're going Thursday" or "That information is classified." What terrorist would risk giving answers like that? Now, if someone has an answer to every single question, that should be a red flag.
The problem with the approach is exactly the same as that for the use of lie detectors, it's at best unreliable, and needs well trained staff.
Certain groups of people (psycopaths being one) show no signs of stress when telling either a lie or the truth, and the process does not work.
Also there is a well known method of dealing with false story detection that involves manipulating the questioner. Put very very simply you use the old salesmans trick of "back questioning" and "conversational hijaking" allied with "affability" and "affront". When asked a question you turn it back into a question on the questioner, for instance when asked about particulars of your trip at some point it will get down to specifics such as eating out etc you might say "We are going to an Italian restraunt, do you like Italian food" this leaves the questioner open as they will try not to be rude (as this will close you down) so they might say "yes","no","sometimes" at which point you can say "Is it the pasta or the sauce you like", "Oh that's a shame why not" etc. You end up leading the questioner off target, they have to try to get back on target the roles start to become reversed.
Without terminating the interview there are only two ways out of this for the questioner, be rude, or try to stay on track.
Being rude is counter productive, you can easily get upset in an affabale way which again takes their line of questioning off or you start complaining and asking to speak to somebody about their behaviour. The questioner has to be very skilled to stay on track and remember sufficient detail to setup verbal traps etc.
Like beating lie detectors it is something you can be trained to do very effectivly whilst still remaining convincingly safe.
There are two interesting points here:
a. This raises the cost of coming up with a cover story that's radically different than your own. If I needed a cover story, I'd pretty much have to make one very closely related to my real life, so this probably makes it harder to pass yourself off as a businessman when you're really an unemployed, perpetual grad student, for example.
b. I wonder if it wouldn't be pretty hard on you to talk about all the fun things you'd like to be doing when you got off the plane, when you really planned to blow the plane up in mid-flight. "Well, I'll go see my Mom and Dad in Ramallah, then go hang out with all my old friends,..." Maybe this kind of stress would be noticeable. (Though I honestly don't have any sense of the state of mind you need to be in to plan on blowing yourself up.)
This reminds me of a oral test in computer science at the university.
I guess I annoyed the teacher too much by asking questions and pointing to errors he made during the three semester lecture so he got his revenge at the test.
He started asking questions all over the lecture, interrupting me after the first scentence whenever I showed confidence with the material.
After a few minutes he found a topic where I only had rough knowledge and spend most of the remaining time to drill down, exploring how weak my knowledge of this topic was.
Obviously I failed the test.
I am sure that even the best students from this class would have failed if they have been treated this way, but of course they were allowed to speak long on topics they were good at.
I am sure you can let anybody 'fail' when digging deep enough, it is up to the integrity of the questioner to keep the false positive rate low.
There have been a few good comments here. It's true that this system requires trained professionals to administer, and that the efficacy of the system depends on the integrity of those trained professionals.
I think that's true for quite a lot of security.
It is an appalling thought to reverse the odds off attacker and defender. It is true that in the "classical" mode the attacker has to find only one weak spot in the defence. Alas, reversing the sides doesn't mean, that the attacker (now the security personell) has to find only one weak spot in the defence (of the terrorists) but ALL weak spots. This is another game and almost impossible. Even if the possibility of not detecting a potential threat is 1: 1000 you need only 100 attempts to break through with a 10% probability. With 1000 tries you get through with a probability of two thirds. You just have to saturate the system and one lucky or in this case unlucky shot is sufficient. Nevertheless the system the Israelis use is better than a solely passive system because it is for a potential attacker a kind of "moving target". I would compare it with what the military calls forward defence. But it is still defence.
Actually those 'honesty test' exams (referenced in earlier post) are largely unvalidated questionable in scientific research. The success numbers they quote are generally from 'proprietary research', companies selling those profiles are notoriously reticent to allow them to actually be openly tested.
There is no scientifically vetted reason to assume any of hose 'trick' questions consistently work.
A defender does not necessarily need to defend against all possible attacks that an attacker would level if the defender has effective intelligence capabilities. Futhermore, I may leave some low impact targets open or even create fake targets to draw out an attacker.
Here's a USA Today article about how some airports are using what they call "behavior detection" (observing people's behavior and engaging them in conversation) to identify potential lawbreakers:
But the article notes that the danger of screening people this way is that it can lead to racial profiling.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.