Schneier on Security
A blog covering security and security technology.
« Iraqi Election Security |
| The Weakest Link »
January 31, 2005
TSA's Secure Flight
As I wrote previously, I am participating in a working group to study the security and privacy of Secure Flight, the U.S. government's program to match airline passengers with a terrorist watch list. In the end, I signed the NDA allowing me access to SSI (Sensitive Security Information) documents, but managed to avoid filling out the paperwork for a SECRET security clearance.
Last week the group had its second meeting.
So far, I have four general conclusions. One, assuming that we need to implement a program of matching airline passengers with names on terrorism watch lists, Secure Flight is a major improvement -- in almost every way -- over what is currently in place. (And by this I mean the matching program, not any potential uses of commercial or other third-party data.)
Two, the security system surrounding Secure Flight is riddled with security holes. There are security problems with false IDs, ID verification, the ability to fly on someone else's ticket, airline procedures, etc.
Three, the urge to use this system for other things will be irresistible. It's just too easy to say: "As long as you've got this system that watches out for terrorists, how about also looking for this list of drug dealers...and by the way, we've got the Super Bowl to worry about too." Once Secure Flight gets built, all it'll take is a new law and we'll have a nationwide security checkpoint system.
And four, a program of matching airline passengers with names on terrorism watch lists is not making us appreciably safer, and is a lousy way to spend our security dollars.
Unfortunately, Congress has mandated that Secure Flight be implemented, so it is unlikely that the program will be killed. And analyzing the effectiveness of the program in general, potential mission creep, and whether the general idea is a worthwhile one, is beyond the scope of our little group. In other words, my first conclusion is basically all that they're interested in hearing.
But that means I can write about everything else.
To speak to my fourth conclusion: Imagine for a minute that Secure Flight is perfect. That is, we can ensure that no one can fly under a false identity, that the watch lists have perfect identity information, and that Secure Flight can perfectly determine if a passenger is on the watch list: no false positives and no false negatives. Even if we could do all that, Secure Flight wouldn't be worth it.
Secure Flight is a passive system. It waits for the bad guys to buy an airplane ticket and try to board. If the bad guys don't fly, it's a waste of money. If the bad guys try to blow up shopping malls instead of airplanes, it's a waste of money.
If I had some millions of dollars to spend on terrorism security, and I had a watch list of potential terrorists, I would spend that money investigating those people. I would try to determine whether or not they were a terrorism threat before they got to the airport, or even if they had no intention of visiting an airport. I would try to prevent their plot regardless of whether it involved airplanes. I would clear the innocent people, and I would go after the guilty. I wouldn't build a complex computerized infrastructure and wait until one of them happened to wander into an airport. It just doesn't make security sense.
That's my usual metric when I think about a terrorism security measure: Would it be more effective than taking that money and funding intelligence, investigation, or emergency response -- things that protect us regardless of what the terrorists are planning next. Money spent on security measures that only work against a particular terrorist tactic, forgetting that terrorists are adaptable, is largely wasted.
Posted on January 31, 2005 at 9:26 AM
• 22 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"Money spent on security measures that only work against a particular terrorist tactic, forgetting that terrorists are adaptable, is largely wasted."
As I've also mentioned before our security appears to rely strictly on reactive measures rather than proactive measures. Don't we have "think tanks" anymore? Have they gone the way of the dodo?
Is it fair to generalize that active security methods are generally preferable to passive ones? That is, simply waiting for terrorists to fall into one of you security nets is not a high yield approach?
Excellent insights into the program. Can you comment on whether redress is also improving? Aside from the major improvements in the matching algorithm, what is being done about how passengers can appeal if they have been wrongly identified as terrorists?
Perhaps due to all the pre-RSA vendor material I have been reading, this entry reminded me of the intrusion detection and intrusion prevention marketing. The story goes that if we sit and just passively detect everything on the network, we generate a massive overload of information about attacks – too much data too late to prevent consequences. On the other hand, if we tune our attack profiles and use a proactive screening system, then we block attacks as well as potentially legitimate traffic. We have to figure out the trade-off and right now we are barraged with advice to be proactive rather than just well-informed and reactive…even though the proactive controls are still based on a rather fuzzy and ill-defined practice of attack profiling.
This makes me to think about a major difference between securing network and passenger traffic; it might be feasible to actually profile and detect passenger terrorist threats as they probably represent a very minute percentage of the overall population, whereas the percentage of “attacks��? on a publicly exposed network is extremely high especially if you include all the reconnaissance and spam.
I like your suggestion that we vigorously investigate terrorist leads, but could it really be successful today without huge privacy/freedom trade-offs? There appear to be a number of factors that might have led policy makers to conclude that the present system is not ready to investigate leads in a timely fashion:
-- Bush was reported to ignore the “Clinton people��? that warned him of attacks. Whether that is true or not, it seems plausible that partisan politics (not necessarily in the interest of the public good) can easily interfere with our current intelligence system. If you engage it today to aggressively seek and destroy terrorists, we go right back to the discussion on behavior profiling.
-- As percentages change, and terrorists become more commonplace, the costs of detective intelligence skyrocket. Synthetic reasoning must be exceptionally efficient to deal with overwhelming amounts of data and analytic reasoning must be exceptional to decipher the core problems and act on them effectively.
Just out of curiosity, are you advocating something more along the lines of the highly specialized Israeli Shin Bet or special counter-intelligence units? Would you go so far as to say more cost-effective preventative measures include propaganda?
This counter-terrorism measure is (assuming it works the way Bruce described - no fp/fn) effective, to the extent that it stops would-be terrorists from flying.
It is not enough - you still need to tie people's physical identities to their names (by fingerprinting the lot of them, for example).
And you still have to cover other venues of attack - CTG (the name I just invented for this system - CT Grid) would have to monitor shopping malls, banks, money transfers, credit card use, ATM use etc. Cash will have to be discarded and eventually disused.
It would have to cover all means of transportation - busses, trains, cars. It will have your absolute car location with your name attached, because the ignition will have to be fingerprint-enabled.
CTG will have to keep close watch on operators of mass transportation vehicles like pilots and train engineers, would have to keep tabs of every skydiving event, every hang-glider operator.
CTG will eventually know of every computer user, every internet log-on, every TCP connection opened, every web transaction. An IP address will have a strong 1:1 connection with a person, not a computer (fingerprint scanners for the masses). TCPCA can be an important part of that.
With these capabilities, CTG will be an immensly useful tool for spotting and eliminating terrorist organizations. It will be virtually impossible for any group of people to cooperate over any distance other than a few blocks without their relationship showing up in some form on the CTG. We will be much safer from these groups.
On a side-note, credit-card fraud, financial fraud and fraud in general and probably random violence and use of lethal force will probably be on the decline.
The only drawback of this is zero privacy to anyone. And the CTG will, like Bruce say, be used for means other than originally intended.
O'er the land of the free and the home of the brave.
"Can you comment on whether redress is also improving? Aside from the major improvements in the matching algorithm, what is being done about how passengers can appeal if they have been wrongly identified as terrorists?"
No; these are the sort of details that are covered under the NDA. It's my hope that the TSA will publish more about this, though.
"Is it fair to generalize that active security methods are generally preferable to passive ones? That is, simply waiting for terrorists to fall into one of you security nets is not a high yield approach?"
That's a fair generalization, although as with all generalizations there are exceptions. Counter-terrorism methods that rely on the terrorists choosing a particular tactic or target are less effective than those that work regardless of the terrorist tactic or target.
Remember my meta-comment on the no-fly list: It's a list of people so dangerous that they cannot be allowed to fly under any circumstance, yet so innocent that they cannot be arrested...even under the provisions of the PATRIOT ACT.
Like you are so apt of pointing out, TSA has its agenda here of making flights safe. In the big picture, it might not impact terrorism, and they could care less about the bomb in the marketplace. But it should make our flights safer, and removes the means of using airplane as weapon. Since people are worried about airplane being used as weapon, that is a security gain in their perspective.
You forgot to mention that even if the list of suspects were worth the paper it is written on, it would never contain all terrorists. If all terrorists were known and their names neatly listed in a database, anti-terrorism would be the easiest thing in the world. It is incredible hwo easily people forget that you must know every dangerous individual in order to make such a security approach effective. And it gets worse. If a terrorist suspects is prevented from boarding a plane, he will be warned that he's on the list. In the end, it will make the terrorists safer, not the rest of us.
Reminds me of the notion that we get spammers to include some descriptor in the subject field so we all know it is spam. We label certain people terrorists, then our clever filter stops them when they identify themselves. As I occasionally sift through a massive collection of quarantined e-mail I will rarely come across as subject line with [ADV] in it.
How about some of the Israeli methods that seem to have proven themselves effective such as screeners at the airport being trained to identify suspicious behavior? Gee, should that packet heading for that server really have SQL commands embedded, should our workers be getting mortgage offers, should that nervous fellow without luggage traveling cross country be traveling on a ticket he just paid for in cash?
That's what I mean...network abuse is on a massively accelerated schedule, so if it's any indication of what to expect, we will need to do a lot better than content filtering when it comes to profiling terrorists. If you look at the public stories of Shin Bet, or read Clancy, maybe the strategic pre-emptive strike is the answer. Imagine if the gov't made spam a serious felony and then agressively shutdown offenders. I think that might have been Bruce's point, that it might cost a lot less to track and disarm rather than make everyone filter messages.
It would be naive to think that a terrorist would be a "nervous fellow without luggage traveling cross country be traveling on a ticket he just paid for in cash". The 9/11 hijackers looked pretty relaxed on the security cameras and I do not think they appeared on the terrorist watchlist. If you draw a plan to use an airplane as weapon, you certainly take care of minor details like staying off the list or living your coverstory.
The question is, is it worth the money? Yes, flights might be somewhat safer, but are the cost justifyable if it means that you can spend less on border patrol?
Since 9/11 the US is focussed on airline security, due to the shock-and-awe effect. But there are much more (and better) means of terrorizing a society.
(Remember the guy in the white van sniping people in Washington DC? Imagine if you have 10 of those guys in all major cities, shooting at random at the same time...)
I have to disagree with that last comment, how can it possibly be worth the money if all it's going to do is stop known terrorists from flying? The known ones are unlikely to blow themselves up - it's the unknown ones you have to worry about and they'll just be able to walk on through.
America is spending billions on ridiculous 'anti-terrorism' measures that achieve nothing except annoying and inconveniencing passengers. The people are being whipped into a state of fear by the government. Everybody is over reacting to anything bad that happens (ie immediately presuming it's a terrorist attack). Sounds to me like the 'bad guys' are winning without actually having to do anything.
I think Bentham beat you to the CTG idea with his Panopticon :^(
Just a thought. Why are we wasting our time and money deciding who should fly and who should not based their name? Why should we care who is sitting next to us on the plane? What we should care about is what this person is trying to carry on the plane whether in carry-on bags, checked bags, on their bodies, in their clothes, or in the cargo they are having shipped.
I really do not care who the person is who is sitting next to me nor their political view points or the warped and incorrect view they have of their religion (if they are a terrorist). I do care that they did not bring a viable weapon with them, that they do not smell bad, they share the common armrest, and they only bring the allotted number of suitcases on board with them.
I do not know if you meant to be ironic, but the sniper actually was NOT driving a white van. Those reports were based on witnesses near the sniping claiming they saw a white van leaving the scene. It soon became apparent that white vans are everywhere, since they are the defacto vehicle for laborers (painters, plumbers, carpenters, etc.)
The actual sniper vehicle was a slightly modified sedan and many said that if the sniper had not turned himself in it would have taken many more lives to find him.
Another take on the same issue, trusting that U.S. intelligence teams can actually "pinpoint" terrorists reliably, is revealed in today's Guardian:
"We are relieved that one man's three year internment has been brought to an end by this home secretary. However, C never had the opportunity to answer any allegations, and the public has no idea why yesterday he was dangerous and today he is safe. This is a glimpse of the terrifying future where everyone may be subjected to detention on the basis of secret intelligence and a politician's whim."
Not to nit-pick (and off-topic, at that), but the snipers didn't turn themselves in. A description of the correct car was out by then, and a truck driver saw it parked in a rest area (with the snipers asleep inside) and called the police.
Talking about national security:
"Elliott Abrams, who pleaded guilty in 1991 to withholding information from Congress in the Iran-contra affair, was promoted to deputy national security adviser to President Bush."
Traveler's complaints go straight to the airlines which in turn take their amassed complaints to federal agencies like the Transportation Safety Agency (TSA). The agency responsible for overseeing the safety of U.S. travelers, is now more concerned with "throughput" and timely flights than they are in finding IEDs, and other dangerous items such as the one mentioned in this article: http://www.xrayit.com/news.shtml
I would like to comment you something that happen to me, today. In the morning I flew from Miami - in Continental - to Newark. I have two gifts that my daughter sent to her sisters. TSA confiscate the gifts because I cannot allow to flight with it on my carrion on. I understand that the security is priority and very important. They advice me go back to the counter, get a ticket and be back to the line to be check, again. Then, after I arrived to my destination I can claim the gifts. If I do this, I could lose my flight. I didn’t have more choice that loses the gifts.
Why they don’t give me the ticket there, right away. Why send me back to the counter and do the line again. They can manage this situation in different way. Sorry to bother you. I would like your feedback about it.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.