Schneier on Security
A blog covering security and security technology.
« PhishTank |
| Schneier Lecture "The Future of Privacy" »
October 5, 2006
Screening People with Clearances
Why should we waste time at airport security, screening people with U.S. government security clearances? This perfectly reasonable question was asked recently by Robert Poole, director of transportation studies at The Reason Foundation, as he and I were interviewed by WOSU Radio in Ohio.
Poole argued that people with government security clearances, people who are entrusted with U.S. national security secrets, are trusted enough to be allowed through airport security with only a cursory screening. They've already gone through background checks, he said, and it would be more efficient to concentrate screening resources on everyone else.
To someone not steeped in security, it makes perfect sense. But itâ€™s a terrible idea, and understanding why teaches us some important security lessons.
The first lesson is that security is a system. Identifying someone's security clearance is a complicated process. People with clearances don't have special ID cards, and they can't just walk into any secured facility. A clearance is held by a particular organization -- usually the organization the person works for -- and is transferred by a classified message to other organizations when that person travels on official business.
Airport security checkpoints are not set up to receive these clearance messages, so some other system would have to be developed.
Of course, it makes no sense for the cleared person to have his office send a message to every airport he's visiting, at the time of travel. Far easier is to have a centralized database of people who are cleared. But now you have to build this database. And secure it. And ensure that it's kept up to date.
Or maybe we can create a new type of ID card: one that identifies people with security clearances. But that also requires a backend database and a card that can't be forged. And clearances can be revoked at any time, so there needs to be some way of invalidating cards automatically and remotely.
Whatever you do, you need to implement a new set of security procedures at airport security checkpoints to deal with these people. The procedures need to be good enough that people can't spoof it. Screeners need to be trained. The system needs to be tested.
What starts out as a simple idea -- don't waste time searching people with government security clearances -- rapidly becomes a complicated security system with all sorts of new vulnerabilities.
The second lesson is that security is a trade-off. We don't have infinite dollars to spend on security. We need to choose where to spend our money, and we're best off if we spend it in ways that give us the most security for our dollar.
Given that very few Americans have security clearances, and that speeding them through security wouldn't make much of a difference to anyone else standing in line, wouldn't it be smarter to spend the money elsewhere? Even if you're just making trade-offs about airport security checkpoints, I would rather take the hundreds of millions of dollars this kind of system could cost and spend it on more security screeners and better training for existing security screeners. We could both speed up the lines and make them more effective.
The third lesson is that security decisions are often based on subjective agenda. My guess is that Poole has a security clearance -- he was a member of the Bush-Cheney transition team in 2000 -- and is annoyed that he is being subjected to the same screening procedures as the other (clearly less trusted) people he is forced to stand in line with. From his perspective, not screening people like him is obvious. But objectively it's not.
This issue is no different than searching airplane pilots, something that regularly elicits howls of laughter among amateur security watchers. What they don't realize is that the issue is not whether we should trust pilots, airplane maintenance technicians or people with clearances. The issue is whether we should trust people who are dressed as pilots, wear airplane-maintenance-tech IDs or claim to have clearances.
We have two choices: Either build an infrastructure to verify their claims, or assume that they're false. And with apologies to pilots, maintenance techs and people with clearances, it's cheaper, easier and more secure to search you all.
This is my twenty-eighth essay for Wired.com.
Posted on October 5, 2006 at 8:27 AM
• 81 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The other possible issue is that by exempting people with security clearances, you essentially "out" them to everyone who happens to be going through or watching the security process at that time.
Another lesson might be that many of us with clearance don't want to become targets by letting everyone around us know we have it. Strictly speaking, whether an individual has clearance is itself classified FOUO or higher; what clearance might actually be TS/SCI. In any case it's "need to know" and TSA screeners do not need to know--they don't care, it's the screened who care, and that's a conflict of interest. It's just like not showing your Agency badge at a restaurant to get a discount.
This is just security in depth as applied to software engineering.
"clearance is itself classified FOUO" But everyone who wants a job in the DC area who has a clearance puts it on their resume...
It's hard enough to the government to process clearance requests and execute the background checks. With thousands of people traveling on some kind of government business every day, frequently at the last minute, it would be pretty close to impossible to engineer this into the system. Anyways, the DOE doesn't have any incentive to identify their Q cleared people and consolidate their info with DOD TS people. The only people who get something out of this are the travelers, and getting a pass through security doesn't preclude their need to get there early.
Bruce, that was a nice tight article. Good work.
"Poole argued that people with government security clearances, people who are entrusted with U.S. national security secrets, are trusted enough to be allowed through airport security with only a cursory screening."
And he's completely correct in that assertion. The mistake he makes is thinking that because that assertion is correct, something should be done to change policy. His failure is a failure to realize that it would cost more not to screen some people than it does to screen everyone.
What is good for the goose is good for the gander:
If the people 'in charge' decide to implement ridiculous security measures at the gate, then they should also be subject to removing their shoes and tipping out their liquids and all the things the regular folk are subject to in this display of 'secuirty theatre.'
This general problem is so common I think it needs its own pithy name...
"The Map Is Not The Territory"
This comes up time and again when you have people looking at a computer screen to determine something about the world around them.
Looks like the first widespread use of this is attributable to Alfred Korzybski.
From that article ...
He thought that certain uses of the verb "to be," called the "is of identity" and the "is of predication," were faulty in structure, e.g., a statement such as, "Joe is a fool" (said of a person named 'Joe' who has done something that we regard as dumb). In Korzybski's system, one's assessment of Joe belongs to a higher order of abstraction than Joe himself. Korzybski's remedy was to deny identity; in this example, to be continually aware that 'Joe' is not what we call him. We find Joe not in the verbal domain, the world of words, but the nonverbal domain (the two, he said, amount to different orders of abstraction). This was expressed in Korzybski's most famous premise, "the map is not the territory."
If this policy was put into place, the first thing that Joe Terrorist would do on the master plan is: Get a security clearance.
A step high up on Acme Terrorist Society's agenda would be: Recruit people who already have a security clearance.
There's some sort of confindence inherent in there that getting a security clearance is going to preclude someone from performing a terrorist act. Or the flip side: That the screening process is going to ferret out the terrorists, that a proto-terrorist can't get a security clearance.
Why don't I have that confidence? I must just be mistrusting and cynical.
"Far easier is to have a centralized database of people who are cleared. But now you have to build this database."
I'm not questioning the difficulty of securing and keeping it up to date, but there is a central database for clearances called the Joint Personnel Adjudication System (JPAS):
We really have no idea how many people have clearances who shouldn't have them at all. But even that is a mistaken way of thinking, because the whole notion of "clearance" is ill-defined and amorphous. The economist who doesn't disclose unemployment and inflation numbers before the official time probably has a clearance. So does the engineer working on some tiny subsubsubsystem of a military-contractor boondoggle. Does that make them better-than-otherwise risks for the particular question of interfering with the flight of a commercial aircraft? Maybe, maybe not. Does that make them (or any of the tens of thousands of other cleared people, many of whom leave laptops and briefcases scattered around the known world) better risks at ensuring that no one has slipped something into their luggage or suborned them to carry a package? Doubtful.
(And as roxanne points out, that just makes having or appearing to have a clearance a shortcut into the supposeldy safe part of the system.)
If a person has a security clearance, they could do far more damage to the country by leaking secrets than they could by blowing up an aircraft. Clearance screenings should also be able to ferret out people with ties to radical organizations. I know a guy who was denied a clearance because he is married to a person who is from an asian country that the USA is friendly with, so the requirements to get a clearance are fairly strict.
@ "The issue is whether we should trust people who are dressed as pilots, wear airplane-maintenance-tech IDs or claim to have clearances."...
My next-door-neighbor's brother is a pilot for a major US airline. To prove a point he was trying to make to a fellow pilot about the implicit trust by the TSA of people in airport-related uniforms, he doctored his airline ID badge with an obnoxiously obvious fake overlay of a generic ID card he found on the Internet for "Ricky Bobby", Will Ferrell's character in the movie "Talladega Nights".
The next time he went through airport security (in the US), wearing his pilot's uniform, he flashed his "Ricky Bobby" badge and was allowed to pass completely unscreened.
I live in the Dallas area and we've had a rash of women drivers being stopped at night after seeing flashing lights in their rearview mirrors and being greeted by people impersonating police officers (wearing uniforms, badges, etc.). Often, this has lead to sexual assults.
As the article points out, dealing with people who present false, but "official-looking" credentials is not always a _simple_ security matter.
Don't you wish more people knew how to do this:
There is one point here that I must take issue with, the discussion on "pilots going through security."
Searching pilots would make sense if one were able to verify the area of higher trust as truly more secure. I'm not sure that it is though. Imagine, a pilot tries to get through security with an axe only to have it taken away. He then proceeds to his "office," where above his head, hangs an axe (we don't know why he wanted to bring another - perhaps the original needed sharpening).
One might argue, that in the standard security check point, it's not possible to know whether he is really a pilot or an imposter. In other words, the question becomes, is he really cleared for access to an axe in the secure area. Unless there is another, even more stringent check of his identity/credentials, the whole exercise is a sham. It is this second identity check (At the regular screening his identity was verified by his uniform and ID, otherwise they would've sent him to the regular line.) which must be carefully controlled and strictly enforced even though only a minority of people ever see it. As an aside, one could then question why these checks couldn't be collapsed since airport staff have their own "lane" anyway.
I've unintentionally begun to write my own essay here, but I feel like there is a bit of security theater going on here. Even though the public doesn't see it happening directly - they know from experience that it's going on(don't maintenance guys have hammers and wrenches when fixing stuff in the terminal that could be swiped rather easily? Or is the maintenance crew trained on how to properly secure the TSA classified weapons that they possess? Really an amazing amount of responsibility for your Mr Joe Fixit). My guess is that this kind of thing isn't controlled the way it must be to support the original screening. This is why this all seems so foolish when pilots have their favorite nail clippers confiscated.
By lowering the standards for any given group of people you will make them a higher priority target. Let's say you know Joe will not be screened thoroughly because he has a top secret security clearance. Why bother spending years getting a security clearance yourself or converting someone to your cause willingly. Why not threaten to do something so horrible to Joe that he will do what you tell him to. It is fast and easy and terrorists aren't afraid of doing horrible things. Having a security clearance implies you are less likely than the next guy to do the wrong thing, but we are all human and if the right pressure is applied we will all break. Torturers have proved this since the inquisition. It would take someone far outside of the norm to withstand any and all pressure and I don't think that kind of person is very common. I think they only exist in the movies.
"Clearance screenings should also be able to ferret out people with ties to radical organizations. I know a guy who was denied a clearance because he is married to a person who is from an asian country that the USA is friendly with, so the requirements to get a clearance are fairly strict."
Strict, yes. Also ocasionally perverse.
A contractor was refused the low-level clearance required to work on certain systems at Thames House (HQ of M.I.5. in the U.K.) because of an 'accident of birth'.
However, he had previously installed the self-same systems an employee of a different contractor, when Thames House was originally being built - no security clearance required.
There is already a push towards all this with the DHS HSPD-12 cards. Basically every federal employee and contractor will have to have a standardized card that will be linked into a background database. Information will then be centralized and checked. There is supposedly a similar scheme for clearances where basically a person will be cleared for a certain level of federal information, and each agency will be a compartment.
The usefulness of this is supposedly huge because each agency is supposed to be working more with each other versus less. The cases for it are that it has taken weeks in several important cases for DOJ/DOE/DOD to talk to each other on somehting that needed to be done in less than 24 hours. [The upper people could do so, but the people who really knew what was going on took a week of paper being lost in the system.]
An infrastructure is already being put into place that could be leveraged to facilitate this. In response to HSPD-12 and FIPS 201, everyone who is issued a Federal Agency or Department Picture ID will have to have a background investigation (at least a finger print check) performed on them. The credentials that are issued will have match on card biometric capability and should be much more difficult to forge than a traditional driver's license. In addition, the system is built on open standards so should be easy to modify for this purpose.
It is also important to note that EVERY federal employee has a background investigation. Some in highly secure positions have full life style investigations with a polygraph or similar but at a minimum, a National Agency Check with written Inquiry (NACI) must be submitted and adjudicated. Contractors, Volunteers or other individuals affiliated with Government Agencies or Departments may also require higher level investigations but according to the new standard, the minimum is a fingerprint check.
A threshold would have to be identified as to what level of background investigation was required to bypass any security checks but this infrastructure could certainly support this additional functionality. With the appropriate checks and balances, anyone who had a valid, active, federal picture ID would be recognized as having at least a low level background investigation.
It's situations like this I'm reminded of the (possibly apocryphal, but hopefully not) stories of the marines with the M16's stationed airside in aiports in 2001/2002, who often would go through the full security screening including taking off boots and running those, plus the rifle, through the x-ray scanner at the start of their shift.
Yes, they have a gun that they are permitted to carry, but the point of the security screening is to make sure that they only have with them what they are supposed to, and nothing more.
@ Chris S - spot on.
Being able to tell the difference between the actual person and someone else's assesment or opinion is a concept that it seems most folks can't or won't grasp.
Until people can understand this abstraction then impersonation and 'insider' jobs will continue unchecked (e.g the fiasco that allowed John Walker to pass US Fleet codes to USSR for 20 years)
Until that day we can look forward haemorrhaging money on massively shared databases, biometrics and ID cards, all with built-in fallibility.
Security clearances are bad because anybody can get a clearance if they've not been caught committing crimes (regardless of whether they have committed crimes).
Once you have the clearance, the assumption is that you are trustworthy, which may be okay for a limited set of situations, but clearly being cleared to work at the Capitol is not the same as saying you are clear to board a plane without a security check, regardless of whether there's a system in place to make these even feasible.
The whole point of the U.S. governmental checks and balances is based on the idea that you can't trust people, even those in power, those we have entrusted with that power via democracy. We have laws and we have checks and balances to ensure that people are following those rules. It's not like we've never had a corrupt or criminal politician before! It's more like we have them all the time, and they even get caught pretty frequently.
U.S. soldiers in Iraq are authorized to carry weapons and even kill others under various rules of engagement, yet they also have committed crimes, so we cannot just assume that they are trustworthy either.
So, if a president can lie and go around the law, and our troops can, and our other politicians can, and our teachers can, and our priests can, why would anybody think that just because you looked okay at one point in time, you'd be good any other time?
"And with apologies to pilots, maintenance techs and people with clearances, it's cheaper, easier and more secure to search you all."
I actually think there is one exception: the cockpit crew on a given flight. You see, it doesn't matter if they have a box cutter, pen knife, Dirty Harry Special, or a bottle of Evian and an iPod on them or not: they have direct access to the flight controls of the aircraft, and can make that plane go wherever they want!
So, IMNSHO, the highest (some might even argue the *only*) item that TSA should be looking at with respect to those who claim to be the cockpit crew is whether or not they *are* the cockpit crew. When they arrive at the checkpoint, they should be whisked off to a side room, where their identity is verified (they are "authenticated"), everything being recorded like the floor of a Vegas casino (and monitored as closely.) And, it is not unreasonable to have id checks done at different places: remember, both the airlines and the TSA (government) have a vested interested in assuring that *only* bona-fide flight crew members are onboard the aircraft.
The treatment of people with security clearances just everybody is fitting given the current situations.
Now, this does NOT mean that types of searches and what's deemed contraband are always well thought out and fitting. There are plenty of examples of silly designations of contraband, yet the overall process does make it more difficult to smuggle on-board
the more obvious weapons without the risk of being detected.
There's a political assassination in New York City that serves as a sad reminder that knowing the "who" does not always answer the question of "what" they're carrying and may intend to do. In July 2003, a political rival of City Councilman James E. Davis smuggled in a pistol & ammunition into City Hall and shot the Councilman. The two, by the routine practice, were allowed to bypass the normal security checks at the enterance.
Then there's the 1987 attack on Pacific Southwest Airlines flight 1771 by David Burke, a recently fired USAir employee. Burke was allowed to bypass the airport checks because he was recognised as an airline employee. He smuggled a pistol on-board, got into the cockpit, and, apparently, crashed the commuter flight.Now would the US airport security checks pre-Lockerbie have detected the pistol? But the bypass of checks made that moot. See http://jcgi.pathfinder.com/time/magazine/article/...
By the way, there's an interesting list of airline attacks and some insights from the The Salon's Ask the Pilot column of 2004: http://dir.salon.com/story/tech/col/smith/2004/...
The system is already implemented. However, instead of trusting people with security clearances that have gone through a background check, only people willing to cough up enough $$ get the special treatment.
I'm sure THAT can't be abused...
One more thing. If you do create a special line for security clearanced individuals, you make it very easy for the Arab KGB to pick them out. Just wait for a few people to queue up in that lane, then run blow yourself up next to them. You could very quickly take out some people the government thinks are important.
In 1999, EgyptAir Flight 990 was deliberately crashed by a pilot.
Perhaps pilots deserve intense and extensive scrutiny.
Is the original radio interview available?
"The next time he went through airport security (in the US), wearing his pilot's uniform, he flashed his "Ricky Bobby" badge and was allowed to pass completely unscreened."
An old NSA veteran once told me of a similar incident from the mid-1960's. The Agency's director of security pasted a photo of Khrushchev over his ID badge one morning. The Marine guard saluted smartly and let him in, and was on a plane to Vietnam that afternoon.
The first thought that came to my mind is that this guy just wants a system where he can say "Komitet!" and get the deference he so richly deserves.
for those of you who don't know the history of the phrase, it's short for Комите'т Го�?уда'р�?твенной Безопа'�?но�?ти (Komitet Gosudarstvennoj Bezopasnosti)
Poole gets special pass to jump the queue. Poole's boy/girl-friend gets miffed. Friend gets special pass to jump queue. Poole's spouse gets miffed. Spouse gets special pass to jump queue. Spouses brother get miffed... Pretty soon the only people lining up to be searched are those who don't know how to sabotage a plane.
The idea of letting people with security clearnaces through is plain stupid. Should a police officer be let through just because he is in uniform?
In case you think that is a weird question, here's what happened at Toronto's Person International. An officer in uniform walked around the check-point and was challenged by on of the checkpoint security staff. Quite a verbal battle ensued, but the security officer was in the right --- anyone can rent a police unifrom from a costume shop and impersonate an officer.
There is not as much infrastructure needed as you suggest. The DoD has already distributed smart cards to most cleared people, literally millions of them. They are called CAC cards, for Common Access Card cards. You gotta love acronyms. Anyway, they have fingerprint and photo biometrics, a secret user PIN to control access to the biometric, and the infrastructure to use them is installed in all the DoD's computers. A couple thousand more for airports would not be an impact on the NMCI (Navy and Marine Corps Intranet) project.
The thing you would get out of this at airports is practical experience with a secure smart card. You would have no cost ot make and deploy the cards. You would have large scale, something like 1-2% of the air traveling public. It's the sort of bootstrap that could let us measure ideas for the Registered Traveler program. Moreover, there are no privacy issues, the DoD long ago distroyed the privacy of its workers.
You could argue that the results would be to prove that this Registered Traveler concept is a dumb one. You might be right. Doing something like this would provide proof, one way or the other. That would be much more powerful than an editorial in Wired.
Looks like yet another example of this code error (idea stolen from recent Boing Boing post which in turn stole it)
if (person.clearance = "top secret)
What are all the problems with this?
Ultimately, having a clearance and airport screening exist for two separate purposes. My coworker might be in the same compartment and be allowed similar access to information as I, but that doesn't necessarily mean that I assume he will never try to "do something bad" on a plane.
> if (person.clearance = "top secret)
> What are all the problems with this?
Well - for a start there's a missing end-quote in the first line. Maybe they got Microsoft to write the code :)
"My guess is that Poole has a security clearance"
Well that's my guess too.
An incident of "I'm not the terrorist - give me comfort, a normal person deserves!"
Even if discriminating screening would be possible at no cost, and no new cheating risks would be introduced, no exception should be made to the people in power.
The experience of being threatened as suspect might be very helpful in making good decisions in the future, and avoid potential conflicts, based on a two class human rights system.
* Today, the EU decided a new security policy in airline travel.
People are allowed to take fluids of maximum 100 ml per bottle and a maximum of 1l in total, to prevent liquid explosives getting on the plane.
I don't know how many liquid explosives you need for serious damage on a plane, and how this prevents groups of terrorists to mix together 5 or 10 liter.
Another rule is: You may buy liquids on the duty-free shop after passing the checks.
Well - getting a somehow marked bottle to a duty-free shop, where you need a complice is not very trivial, but I guess more easy than getting the expertise how to handle liquid explosives.
A news is to be found here:
I didn't get it there but on german TV, where details sounded a bit different.
The ACLU would likely spin some variation on the 14th Ammendment over that.
Too, there is value in treating people as equally as possible. Commissioned military officers (security clearance or no) submit urine samples periodically. If it's good for the troops, it's good for the officers.
@Gary in DC:
> if (person.clearance = "top secret)
In many C-like languages, the expression in the if() test is an assignment, not an equality test; if not for the missing quote, it would assign the string "top secret" to person.clearance. This assignment will probably return a true value (if it is valid to assign a string to this property), then we fall through to security.admit().
Thus the function of this code is to upgrade everyone to top secret clearance and then admit them, whilst _appearing_ to be a test which checks for top secret clearance. A cute analogy!
It is very similar to the root upgrade hack which someone tried to slip into the Linux kernel a year or so ago (but which the code auditors caught).
Um, what about JPAS? Today if I go to any security manager in DoD and give them a social, they tell me if that person is cleared, when they were cleared, by what agency, and at what level.
I've been to briefings that required me to "prove clearance" before I could go. They used JPAS for that. Seems like they could do that at airports, even if they used a watered down version/interface that just verified someone was in the DB. Or something.
Yes there's still issues with untrustworthy people that also have clearances, but that's a problem with the vetting process that should be addressed elsewhere. Maybe you don't lighten up on everyone with a clearance, maybe just certain clearance levels that have stronger vetting. I know when I went through my vetting process, they personally interviewed at length every one of my neighbors, my co-workers, most of my closest friends, college professors, my ex-wife, and the list goes on. If professionals trained to do so cannot weed out threats to airplanes after all that, no airport screener is going to either.
While yes I'd benefit from a system that allowed me to get through security quicker, I'm more interested in the time and money saved by TSA, and in the narrowing of targets for the screeners to focus their attention upon. We ("the cleared") are just extra noise in the system reducing target fidelity.
(CRAP! Sorry, I didn't see the previous JPAS mention until after I'd typed this.... but since I did all this typing... I guess I'll go ahead and post)
What a looney. I feel we are all in great danger, as looney's like this also believe that their st-u-pid security systems actually *work*, and so they do st-u-pid things to other people that can make those other people angry -- thinking all the while that this is a safe behaviour to engage in.
Yes, it seems as though nobody knows about CAC [smart]cards. The DoD uses them, you need to present them every time you go on base, and they undoubtedly contain one's clearance information - or can be used to retrieve it from JPAS. Also it has a picture, a 2-d barcode, a chip, an expiration date, and contains images of one's fingerprints and all the printed matter. They are programmed by some application which interacts with one national database which is very slow (programming them took a couple of minutes of waiting).
Having had a clearance myself in the post-9/11 I wondered at the absurdity of searching people with clearances also. Although I wouldn't have believed it without first-hand experience, people who have clearances are paranoid of losing them, and often very careful to avoid even the most minor acts which may make them look trustworthy. For one thing, the snack bar was based on the honor system, and one person was reprimanded (verbally) for having overpaid in his first visit and picked up something later without visibly paying. It was nice not to have to worry about hiding my radar detector (putting it on the floor was enough to satisfy the MPs, as they were not allowed, probably because the military uses RADAR for reasons other than speeding).
My investigation took 18 months, and they basically dug all around trying to find any dirt, any people who might not like me because I didn't treat them well, and who might retaliate by giving them some damaging information. They checked my financial history as well, looking for unpaid debts or histories of financial irresponsibility. You had to self-report any tickets equal to or more than $150. Risk-taking hobbies like skydiving were a potentially disqualifying factor. They don't want risk-takers or thrill-seekers. I had to self-report when I started taking an anti-depressant (or any other mind-altering substance). There were random urinalyses, and they used radio-immuno-assay, which is a costly but extremely accurate way to profile virtually anything you metabolize. They asked about political leanings, any visits to foreign countries, and so on. You were also required to be debriefed before visiting certain countries, and had to self-report any travel out of the country. Not self-reporting any of this was grounds for losing your clearance. Letting somebody without a correct-level badge piggyback into a SCIF was grounds for losing your clearance. A pattern of accidentally bringing in your cell phone, or a CD-R, anything that could record or transmit, test or measure, was probably grounds for losing your clearance. Running unapproved software on a DoD system was grounds for losing your clearance. Bags were searched randomly. Once my car was searched by dogs when coming on-base. It was an extremely intrusive probe, fairly uncomfortable for a privacy advocate like myself, but I gained some respect for its thoroughness.
I think concerns about self-identification are probably minor; this would only happen at US airports, and lots of people have at least secret level clearances. Besides, you will see them pass you on the way into the secure area, when exactly are you supposed to blow them up? Which plane are they getting on? Where are they going?
I was a contractor but heard that commissioned officers automatically had secret, and the military uses commercial airlines to transport personnel to and from remote locations most of the time.
They do a good job of making you feel like it's a privilege, but the fact is it's like having someone looking over your shoulder all the time and a heavy responsibility. The incentives are set up pretty cleverly; the people who manage the SCIF have an incentive to correct any violations they see because an auditor who witnesses them could cause them to lose their rating for handling classified work - almost surely grounds for termination. If you let someone in, it was in your interest to check their badge, or you could lose your clearance. Etc.
The pay doesn't justify the burden, and maybe the perk of not being searched may compensate clearance-holders for the crap they have to go through on a daily basis.
Besides, they already decide who is searched before you ever get to the security checkpoint. I'm going to politely decline to comment on that bit of security-through-obscurity.
PS: If you are forced to get on a plane, they will undoubtedly have some covert but unmistakable signal that things are amiss. At that point, you personally are pretty safely away from any parties that are threatening you, a great time to have a discussion about them with one of the FBI agents who are already stationed in every major airport.
If you need a job and have a clearance, visit www.securityclearanceexpo.com or attend the Northern Virginia Career Invitational Event on Tuesday, December 5th, 2006 or Wednesday, December 6th, 2006 in Linthicum, MD. Employers can have a booth to recruit cleared professionals by calling Jeff Foster on 703-652-6323 or send an email at jeff @ securityclearanceexpo.com
Bruce, what the hell are you carrying on about? There are indeed clearance ID cards. I agree with everything else. Everything anonymouse said it pretty much correct in my experience.
Additionally, you're not supposed to be flashing your ID for anything other than required business (as someone else pointed out the mere fact you work for the government is U/FOUO, nevermind whether you have a clearance and what level it is), which is the biggest reason why this shouldn't be done.
I may have misread your statement, but having a Q and a DoD TS is *not* the same, a person with TS doesn't necessarily get Q and vice versa, it often goes a little quicker, but it's not a guaranteed. Q is an SCI that implies TS, but it's by far not a DoD TS.
"My guess is that Poole has a security clearance"
Not only that, he feels that by being an affiliate of the government he deserves to be treated better than the serfs^H^H^H^H^Hcitizens. Just a nice reminder to the rest of us that all government droids care about is their own comfort and power.
"I feel we are all in great danger"
Yep, and the terrorists have nothing to do with that. The source of this great danger is "our" government which uncannily quickly slides into full-scale fascism.
"if (person.clearance = "top secret)
What are all the problems with this?"
Obvious problem, you asked the person for his clearance, and then tell security what to do to him.
While you should be asking security.getClearance(person).
'Never trust the client", works for distributed applications, and real world:)
"he was a member of the Bush-Cheney transition team in 2000"
Indeed. You may recall he also worked for CA Gov Pete Wilson and introduced "high-occupancy toll" lanes in the 1990s.
These were essentially designed to reduce road congestion by privatizing roads and allowing privileges for those who could pay more rather than actually meeting more important goals of reducing the number of vehicles, emissions, etc.. In other words you should get to pay for the privilege of the carpool lane regardless of any other objectives.
Perhaps you could call his proposed system a proactive method of fines rather than a reactive (e.g. police monitored) one, which removes the hassle of being pulled over and given a ticket for each "privilege".
So it appears his interest is far from security because he clearly is willing to sacrifice any greater benefits of a program if 1) money is to be made by the private sector and 2) there are opportunities to *simply* pay your way into "privileged efficiency" status. Since the screening changes he supports meet those two basic criteria, he surely sees a "win-win" for what appears to be his painfully shallow sense of public value.
Incidentally, his concepts remind me of the kind of "security" you find in many unstable countries with decentralized or "market" based authority, where flashing a few Franklins may be the only thing that can give you a kind of temporary immunity:
...or from the original BBC article:
"Meanwhile, Mohammed, a truck driver who has ploughed the roads between Burkina Faso and Tema port for more years than he cares to remember, says the problems in Ivory Coast outweigh the benefits.
As he is stopped at a police barrier in northern Ghana, he explains quietly in French, that the 'costs on the road' in Ghana are a fraction of those in Ivory Coast - meaning the fees accumulated in bribes and unofficial payments. "
It is not true that the mere fact
that you have a clearance is
UNCLASSIFIED//FOR OFFICIAL USE ONLY.
It is also not true, as one other
commenter claims, that the mere fact
that you work for the government
is UNCLASSIFIED//FOR OFFICIAL USE ONLY.
It's this kind of crap that makes
an SSO job so difficult. People have
all these wrongs ideas about what is
isn't classified or subject to
dissemination restrictions. So
they slap U//FOUO on things that are
"An officer in uniform walked around the check-point and was challenged by on of the checkpoint security staff. Quite a verbal battle ensued, but the security officer was in the right --- anyone can rent a police unifrom from a costume shop and impersonate an officer."
If the police officer was armed, the security official should have pressed the Big Red Armed Intruder Alert Button right away.
One of my pet peeves is people who call the CAC a CAC Card. It's redundant. Sort of like saying you're going to an ATM Machine (Automatic Teller Machine Machine).
Also, as mentioned above, the CAC will be replaced over the next few years with the HSPD-12 compliance PIV Card. This card will be interoperable accross the federal government (not just DOD) and will have very similar functionality to the current CAC.
Anyone interested in additional information on the HSPD-12 program should read FIPS 201 which can be found here: http://csrc.nist.gov/publications/fips/fips201-1/... Additional technical documents are in the 800 series of Special Publications found here http://csrc.nist.gov/publications/nistpubs/... Of particular note should be 800-73, 76 and 78.
These cards are scheduled to go live accross the federal government at the end of this month. Whether all agencies are in a position to comply with this deadline and become fully compliant is another story but my understanding is that most will at least begin issuing some sort of smart card.
Certain people with certain clearances are issued special "black passports" and are already able to bypass security, so the pre-screening methodology you describe is already implemented.
Why not run that idea by your local opsec department and see who they agree with.
There is a good chance you are dealing with less sensitive stuff, our FSO (which I'm gonna guess is the equiv of SSO) specifically wants people not to tell people without a NTK who we work for and what clearance we may have
The fundamental fallacy of Mr. Poole is the notion that good (airport) security screening is based on WHO an individual is as opposed to what THREAT they pose RIGHT NOW.
It doesn’t matter to me if you’re a member of the Daughters of the American Revolution and the fifth generation of your family to hold a TS//SCI security clearance or a Pakistani immigrant, if you DON’T have a gun you CANNOT shot me – if you DO have a gun you CAN shot me.
The same logic holds true for airport security. The woman with a TS//SCI can just as easily be pressured into breaching security as the honest Pakistani immigrant – Security needs to prevent both threats, as well as the actual terrorists, from getting through security. Creating a fast lane for anyone increases the vulnerability of those with access and reduces our overall security.
Who you are and what the government already knows about you is entirely beside the point.
"Certain people with certain clearances are issued special 'black passports' and are already able to bypass security."
Black passports are simply official/diplomatic passports whose bearer may not have a clearance and certainly can't bypass a commercial airline security check.
@The Grumpy Hacker
Err.. diplomatic bags??
If we want to be truly secure, do we want people with security clearances being tagged as such for the world to see? One mole in an airport line can pass the word on that so-and-so has some kind of security clearance and therefore be a target for kidnapping, blackmail, etc.
In the name of security, people with clearances had best swallow their pride and undergo the same indignity as the rest of us.
Searching everyone at airport security checkpoints is essential. It protects their families. Most people would carry anything through if a close family member or friend was being held hostage. This risk would arise if any group was known to be exempt from airport security checks.
I understand the need not to trust people when it comes to security. However, at some point there should be a set of people with implied trust based on some credential - because there ARE people that will never attack this country. Not trusting folks with clearances is smart - DoD and the IC can't even figure out how to SHARE clearance data (JPAS vs Scattered Castles).
However, why not trust people that are identified as traveling in an official capacity for the United States. The DoS issues Official (red) and Diplomatic (black) passports for travelers on official business. We already trust passports. Possibly in the amedments section there could be an explicit "trust endorsement" based on some piece of information that was provided by the sponsoring organization (e.g. clearance, etc...). People without this "trust endorsement" would still need regular screening.
Also, why are we even talking about "bypassing" security? What we should be talking about is funelling trusted people through a different set of security mechanisms than untrusted people. By having two sets of security conditions, it allows the TSA to focus on the untrusted set while still screening the trusted set. Functionally, this would keep people like me from being stuck behind the old lady that can't figure out how to take off her shoes and then gets "randomly" selected for additional screening, preventing me from going through the metal detectors while the old bat gets felt up!
Oh well... Just a thought...
Diplomatic Pouches are used to transport Official documents or communications across international boundries (read: not inter/intra-state). You might be interested in reading this governing documentation... http://foia.state.gov/masterdocs/05fam/...
American diplomatic bags, yes; but other countries can certainly travel from state to state (e.g. enter the USA in California and travel to the Embassy in Washington).
I went reading, furthermore, and it doesn't seem that there is much limit to what a diplomatic bag can carry as long as it is claimed that it is for "official use". Also, although not explicity in the 1961 treaty, which seems to be the latest one it seems you can't even X-ray them.
Article saying you can't X-ray the bags
Discussion of improving treaty (it took 20 years of work to agree to bring a draft proposal to the attention of the UN members)
One point that should be mentioned is that (reasonable) people with clearances don't flaunt them. If a "US Clearance Holders' Aisle" were implemented, a foreign intelligence operative need only spend a few hundred dollars for an airplane ticket to compile a days worth of photographs of people exiting it.
Going through such an aisle would put the clearance holder, his family, his employer, and his country at risk.
What a wonderful patriotic idea, to reward the valiant government elite by allowing them to bypass those irritating sheeple at the airport. But let's not stop there! How about elite lanes on the streets (monitored by RFID, of course), and elite shops, and preference for admission to university for the elite children of these homeland heros. The possibilities are endless. How sad though, that we are unable to proudly claim such a system as an Amerikan invention, comrades...
security clearances aren't necessarily a guarantee of universal Godliness (or whatever)...a person can be cleared for certain issues but not for others. Simply put, someone with a clearance isn't necessarily a good guy in all areas.
Developing a special system for people with security clearances would not only be a waste of resources, but could also endanger those people in a hostage situation. I used to fly in the National Guard and we had frequent overseas trips. We were told to get personal passports for our own safety. If you are in a hostage situation, the last thing you want to do when the terrorists are collecting passports, is to hand over that red official passport (or the special ID that says you have a security clearance) You instantly become the most valuable hostage. The scenario is probably not likely, but why waste resources to help the terrorists?
"It doesn’t matter to me if you’re a member of the Daughters of the American Revolution and the fifth generation of your family to hold a TS//SCI security clearance or a Pakistani immigrant, if you DON’T have a gun you CANNOT shot me – if you DO have a gun you CAN shot me."
What would you recommend we do about sky marshals? All these arguments apply against them too. According to the book Vengeance, the author went from being a sky marshall to being in the Mossad. Would you bother to search a *former* sky marshall?
As a passenger, I'm reading your latest CRYPTO-GRAM in an aluminum tube at high altitude on my way to work for one of my clients. I had an additional thought about why lowering the screening requirements for people with Security Clearances is a bad idea...
It makes them targets.
First of all, these people, by definition, have secret information. What it is is obviously secret, but its desirable. Otherwise, it wouldn't be secret. Now, these folks are being identified. Once IDed, they can be social engineered, their bags can be stolen, their ID cards light-fingered, and so on. In other words, they become more desirable targets to the criminals who lurk at airports.
Secondly, they become terrorist targets. They now stand out, and are desirable as victims or hostages. For both these reasons, I suspect that a rational person with a Security Clearance wouldn't want to draw attention to themselves. "Hey, look at me! I'm Special!" As a frequent traveler, I play "spot the air-Marshal." Lots of other frequent flyers do it. Heck, my 17-year-old daughter is pretty good at it, we think. Air Marshalls keep a low profile for exactly the same reasons that a person with a Security Clearance would want to as well.
Instead of security-through-obscurity, the proposal has exactly the opposite effect. That is, in addition to the cost and complexity you point out...
"""What would you recommend we do about sky marshals?"""
Other than shooting the mentally disturbed and leaving loaded guns lying around, what have they done that required them to be armed?
The real problem for "people with clearances" (including airline and airport staff) is the loss of their time (and plane connections) due to screening. Allowing through people who just “flash a badge��?, as commonly done, is a major security (spoofing) risk. Would the following approach be better?
BASIC CONCEPT :
1. Identified persons cleared as “reliable��? may enter without screening,
2. All others get full screening.
IMPLEMENTATION: Organisations providing clearances issue a machine-legible “Clearance Card��? to each client, and make the "TSA-relevant" part of his security information available on the web through secure procedures. At the airport fast lane, the TSA official uses the card to access the security information in real time. For identification, the person also needs some ID card or passport, unless the “Clearance Card��? is good enough (photo, biometrics, etc) to serve as such.
This system checks clearance in real-time (covers any recent revocation). Any malfunctions or failed clearances only lead to full screening (graceful fall-back).
This system requires a card reader and secure internet access at the fast lane gates, and secure identification of persons. Will probably cost less than full screening; i.e. negative costs to the treasury. All other costs (cards, making on-line database) are borne by the clearance institution.
Secondary measure: TSA should confiscate clearance cards after a few verification failures, to avoid the use of forged or obsolete cards to access the fast lane.
Persons who have clearances but wish to avoid the risks of being identified as such (see earlier blog entries) will simply not use the “clearance card��? or not have one.
Eric Ferguson, Zeist, Netherlands
My impression is that Robert Poole has some grand sense of entitlement and would like to capitalize on his special privileges, but is an absolute fool when it comes to security.
If you have a security clearance you don't want to advertise that fact for multiple rasons. Allowing people to bypass screening only makes them a target, whether for espionage or terrorism. I remember an incident where the hijackers checked for 1) American passports and 2) American military passports. The result of which was a serviceman murdered and his body dumped on the tarmac.
As for tracking who has and does not have a security clearance that is all web-based now. All you need is the individual's SSN and an account with the government. But, do you really want every airport screener to be able to log into that database? How easy is it to forge documentation with an SSN? I can foresee a new kind of identify theft: stealing a security clearance to bypass airport security.
And if the security clearance database gets thrown wide open by some unscrupulous person, not only is airport security compromised, but so is the ability to verify clearances. Truly a nightmare for defense contractors.
My cat knows more about OPSEC than Mr. Poole.
"If the police officer was armed, the security official should have pressed the Big Red Armed Intruder Alert Button right away."
Yes, he should have done it, so that other armed police officers come and cross the checkpoint to chase their colleague.
Mr. Poole's position on the issue is a foolish one. From my past personal experience, and as expressed by others before me, the last thing I would want to do is to go out of my way to identify myself to an adversary as having a higher value than somebody else. I might as well have somebody paint a bullseye on my back.
I think "Whiskers" is right when he says his cat knows more about OPSEC (Operations Security) than Mr. Poole. But, Mr. Poole is not alone. His problem is symptomatic, a reflection of the fact that many people, even those involved directly with Operations Security, do not grasp the concept completely.
It is a well-known fact that upwards of 85 per cent of the information that one adversary needs to produce actionable intelligence on another can be obtained from a study of open source information, i.e., unclassified information. A lot of it can be collected very simply and easily just by hanging around the right places and keeping your eyes and ears open.
The remaining 15 per cent, which can be used only by gaining access to classified information, is extremely difficult for an adversary to get at because it is usually very well-protected through the employment of technical and other means supported by the efforts of traditional security disciplines. It turns out, though, that it is not always necessary for an adversary to delve into the 15 percent portion; often, the 85 per cent portion is enough. It is the 85 per cent portion with which Operations Security deals primarily. This portion is a veritable treasure trove of unclassified information that an adversary can collect and then search for indicators he can use to derive insight (make some educated guesses) into classified information or build up into foreknowledge of future operations.
The practice of Operations Security is intended to eliminate, if practicable, or reduce, if not, the number, accuracy, and utility of the indicators for which an adversary so avidly searches. It is the sheer magnitude of useful unclassified information available for this purpose, and the relative ease with which it can be collected, that makes the proper practice of Operations Security so important. It is also what makes the proper practice so difficult.
Since the missions and functions of traditional security disciplines (INFOSEC, COMSEC, et al) deal primarily with the protection of classified information, it is understandable that the natural predisposition of practitioners of those disciplines is to look at Operations Security as a part of, or an extension of, their particular discipline. Unfortunately for Operations Security, this predisposition results in a de facto default position with respect to the practice of Operations Security. This default position makes it difficult for these people to comprehend fully that the 5-step Operations Security process requires them to look outside of their respective discipline. Thus, as a practical matter, they usually end up giving only lip service to the actual demands of Operations Security.
Regarding the article on using security clearances at airports. Most of the problems identified are solved by the HSPD12 initiative (Homeland Security Presidential Directive). All federal employees and contractors will have a secure smart card with certificates with 2048-bit keys, issued through an approved process and system. OCSP is also a requirement. Cards will have signed photos and fingerprint records.
It may not be perfect (what is?) but a fair number of smart folks from NIST and industry have tried to set and implement standards (FIPS201 and various Special Publications) that make for a usable security credential that allows federal agencies to leverage the security conferred by other trusted agencies
I'd be very interested to hear what you think of this massive effort in an upcoming Crypt-gram.
Heard that a new security card is coming out for anyone with a good record to get but must go through extensive background, fbi and fingerprint checks first. Does anyone have any knowledge about this card and when it will be out to the public who travels a lot?
Good afternoon. We thought, because we had power, we had wisdom. Help me! I can not find sites on the: Car on finance. I found only this - new car finance company. An online car finance specialist will be familiar with the special offers provided by each lender and therefore in the best position to provide you with the cheapest car finance option. If you are seeking a finance package to buy a car, or any type of motor vehicle, then look for a site offering an car finance calculator and operate it. THX :rolleyes:, Sara from Rwanda.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.