Schneier on Security
A blog covering security and security technology.
« Photographing Airports |
| Police Cameras in Your Home »
February 23, 2006
U.S. Port Security and Proxies
My twelfth essay for Wired.com is about U.S. port security, and more generally about trust and proxies:
Pull aside the rhetoric, and this is everyone's point. There are those who don't trust the Bush administration and believe its motivations are political. There are those who don't trust the UAE because of its terrorist ties -- two of the 9/11 terrorists and some of the funding for the attack came out of that country -- and those who don't trust it because of racial prejudices. There are those who don't trust security at our nation's ports generally and see this as just another example of the problem.
The solution is openness. The Bush administration needs to better explain how port security works, and the decision process by which the sale of P&O was approved. If this deal doesn't compromise security, voters -- at least the particular lawmakers we trust -- need to understand that.
Regardless of the outcome of the Dubai deal, we need more transparency in how our government approaches counter-terrorism in general. Secrecy simply isn't serving our nation well in this case. It's not making us safer, and it's properly reducing faith in our government.
Proxies are a natural outgrowth of society, an inevitable byproduct of specialization. But our proxies are not us and they have different motivations -- they simply won't make the same security decisions as we would. Whether a king is hiring mercenaries, an organization is hiring a network security company or a person is asking some guy to watch his bags while he gets a drink of water, successful security proxies are based on trust. And when it comes to government, trust comes through transparency and openness.
Posted on February 23, 2006 at 7:07 AM
• 47 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I agree with the proxy analogy, however I don't agree with the part where the government should explain the security measures they take to protect the American public. It's like broadcasting your firewall settings to the world! I understand the trust issue and I agree that that most people would be nervous to have a foreigner watch their home, however, where do you draw the line when it comes to trust? The Oklahoma City bombing was performed by one of our own. We have Americans in our communities who think that burning a flag is part of their freedom of expression. We buy billions of dollars worth of products made in China, the last Communist stronghold left in the world. As mentioned in your article, most of what we do is all done by proxy, and I'm glad it is. The American public can't be trusted to make their own decisions. We're talking about a society that places more value on who won on American Idol, who's marrying Agelina Jollie or who’s going to the Super Bowl than on the education of their children. We're talking about a society who learns world politics thru the eyes of the media and what they see on TV and all of a sudden, they are experts in the matter. Some of the people have never left their home state or even their city. Does that sound like someone qualified to make decisions on world politics or homeland security? As far as I'm concerned, they don't need to know how the government is protecting them as long as they can get up every day and go about their lives knowing that they are safe and that once in a while, they pay their respects to the flag that represents the people who keep them safe. Let the people they elected take care of their dirty work, by proxy. I'm not a radical fundamentalist or a disgruntled person, I'm just an American that's tired of people blaming the government for everything that goes wrong and don't take responsibility for their own actions.
"There are those who don't trust the UAE because of its terrorist ties -- two of the 9/11 terrorists and some of the funding for the attack came out of that country"
I'd also read this argument in a BBC article regarding the sale. The person making that statement to the BBC also stated that they trusted P&O - a British company - even though four of the July 7th London bomber were from Britain and some of the funding for that attack came from within Britain.
That two terrorists came from the UAE (a country that has yet to have a successful Al Qaida attack against it, despite a heavy western presence in Dubai) is no more an indicator of the security afforded by Dubai ports than four British terrorists is an indicator of the security afforded by P&O.
"We have Americans in our communities who think that burning a flag is part of their freedom of expression."
I hate to break it to you, Razor, but until a constitutional amendment is passed that states otherwise, burning a flag IS part of our freedom of expression.
Hello, every action taken by a political figure is going to be motivated for political gain. Its like saying a quarterback's choice of plays was motivated by a desire to gain yards.
The lawmakers that are making all the noise need to do some checking before they call a press conference. I don't see how this is anything other than prejudice against an Arab nation. If the company could do the job when it was owned by England, it can do the job when owned by the UAE.
One thing you missed, incentives. I agree with you that the public will trust the government more if the government is open and transparent. But the government must also _want_ to gain the public's trust. They need an incentive to do so. I simply don't see that incentive in the current political climate.
Wikipedia has a good article on this, principal-agent problem.
Bruce's post (at least here, I've yet to real the full article at Wired) is 'safe' in the sense that it takes no explicit position on the merit of the UAE deal. That's OK though, because he raises a point no one else is really making about the deal: secrecy is reducing trust.
Razor, you hope for a world where people can 'go about their lives knowing that they are safe.' Like Bruce's proposal, yours seems based upon trust.
You just differ about where trust will come from.
Bruce suggests it will come from transparency. If I'm reading you right, you expect trust to flow from faith, in the absence of information that citizens 'don't need to know' anyway.
The political name of your model is authoritarianism.
I hope we can reasonably expect to see your model rejected, but I have to admit that's something of a faith-based position itself.
"As far as I'm concerned, they don't need to know how the government is protecting them as long as they can get up every day and go about their lives knowing that they are safe and that once in a while, they pay their respects to the flag that represents the people who keep them safe."
So, it sounds like you would advocate security through obscurity.
@arl It may be splitting hairs but
"I don't see how this is anything other than prejudice against an Arab nation. If the company could do the job when it was owned by England,"
is off target. The company wasn't owned by the British government. It was a privately held firm that is now going to be owned by a foreign government. Don't cloud the issue with perceived racism, I don't want any foreign government in charge of infrastructure operations anywhere in this country. Imagine if airport security was suddenly taken over by the Mongolians, they might do a fine job of it but I don't think their interests are going to be the same as mine when it comes to security.
If nothing is really wrong, then as Bruce points out, transparency will fix the problem. Explain why it's not a problem, don't tell us to ignore the man behind the curtain because we know better than you.
Re: Razor's "...they don't need to know how the government is protecting them as long as they can get up every day and go about their lives knowing that they are safe...." comment.
It's a mixed deal. It reminds me of Orwell, who wrote about dangers of totalitarianism, saying, " People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf." But, then, Orwell wasn't saying that we should put blind trust in the men and those who deploy them.
One of the dark sides of "don't bother as long as you are safe" is that it can allow the tolerance for the neighbours getting the "midnight knock" and disappearing as occured in some totalitarian societies.
"I don't want any foreign government in charge of infrastructure operations anywhere in this country."
- So what do you propose we sell to foreign governments with an excess of american dollars? To me, this sort of deal is an effect of the long-term trade deficit - they get dollars (since we buy from them), and they want to spend them.
There is another category of people whom aren't at all trusting of this deal: The folks whom see something wrong with a bussiness operating in the USA being owned by another political state (country in coloquial terms). Once upon a time such a thing would not have been allowed due to fears of spying--which isn't a great reason, by the way. It is generally accepted here in the USA that some businesses will be owned in part or wholly by OUR OWN government (we the people retain control)--but putting the control of something that has traditionally been solely a private enterprise here in the USA under the control of a corporation WHOLLY OWNED by a foreign government is what now has people thinking (we the people give up a lot of control, and we begin funding that government directly). For this group this problem deal isn't about racism--it is about sound business practices (odd as it may sound).
I'm not quite sure what to think myself--but some of the background info I've stumbled across (and haven't yet found a great way to verify) don't give me a "peaceful easy feeling."
We don't care what particular company or nation is taking control of our ports' affairs.. it's the fact that it should be controlled and owned by the US govt. Not even having it controlled by a US company would settle well in my opinion. Anything less smells of pocket lining and conflicts of interests.
"...trust it because of racial prejudices."
Umm -- the UAE is not a race. There are white, brown, black and oriental UAE citizens. Just like not liking Mexicans is not racists because there are white, black, brown, etc. Mexicans. Those are countries not races.
If somebody doesn't like the UAE it is a nationalist prejudice and hopefully it is still o.k. to not like a country.
Not only did 9/11 terrorists come from UAE, but we are currently warring with two countries from that region over "terrorism." We are building a fighting case against Iran over nukes. We are concerned over Hamas winning the Palestinian vote. A cartoon sparked weeks of rage, violence, kidnapping and property destruction in that region. We are supposedly "addicted" to oil, much of which comes from that region (though we get most from Canada). Pakistan, our supposed friend, is responsible for selling nuke secrets. The UAE is not a democracy, but is ruled by Muslim Emirs. And we are told that port security is a gaping hole.
So why would Bush secretly and defiantly allow the UAE deal to protect our ports?
It seems that if we are trying to promote freedom and democracy, we shouldn't be outsourcing port security to a country that provides neither.
And is outsourcing security of a country really something that we should be doing, whether UAE or British? Has outsourcing gone so mad that we'll allow other countries to control the security that should be provided by our own federal government?
I sometimes wonder what world many of the posters here live in. It certainly isn't the same one I'm in.
"Has outsourcing gone so mad that we'll allow other countries to control the security that should be provided by our own federal government?" says Harold - despite the fact that port security is not under consideration as a part of this deal.
"We have Americans in our communities who think that burning a flag is part of their freedom of expression." says Razor, apparently ignoring that if it's respectful and recommended to burn a flag because it is old (US Flag Code), but not acceptable to burn it as an expression of irritation, then the only reason to prevent that latter burning must be because of the expression itself.
What's up for grabs here is the terminal operations - the loading and unloading of boats, and the management of the people that do that - not the customs and security personnel.
Are we really expecting that the sale of P&O to DP World means that suddenly truck-loads of hostile arabs (or even the non-hostile ones, which are far more numerous) will arrive at ports to replace the gantry and crane operators currently there?
What happened last time a company you worked for got taken over?
If it's anything like the ones I've worked for, it simply meant that there was a new name and face on the cover of the prospectus, and existing employees were shuffled around a little.
Oh, and to help Razor sleep at night, it might be worth pointing out that in the NPR report on the New York port involved in this deal, it was noted that of the six terminals, two are owned by Chinese companies, and another by a Danish company. Hmm... Denmark... I'm going to guess that terminal is a far more likely target of Moslem extremism than the one that will soon be owned by DP World.
To me the most disturbing thing is that the government has been conducting the public business in complete secrecy, to the extent that the person ostensibly in charge -- George W -- was not in on the secret. He found out after the news was made public.
I am glad that, this time at least, the media did not check with the government first for permission to release the news. It did not sit on the news for a year or so, as we now know it has done in cases.
I suspect if the American public found out all the government is doing right now behind their backs, we'd bring back hanging.
"What happened last time a company you worked for got taken over?"
The engineering department was laid off because the new owners had a subsidiary that could do the work "cheaper."
Razor- You make the case that security should be faith based. Taken another step, if the government were free from having to explain itself, would you like your tax bill when suddenly your rate shot up to 95%, without explanation?
This is exactly the kind of behaviour that the Founding Fathers were adamantly opposed to. The entire Constitution was written on the premise that the people retain the power, not a tyrranical government, and certainly not a king (which is, I'm afraid, what Bush is styling himself as.)
What particularly bothers me is that the decision was made, then Bush extolled the virtues of a sale he later declared he had no knowledge of. It's yet another example of the systematic way his administration has of lying to the World.
"As far as I'm concerned, they don't need to know how the government is protecting them ... I'm just an American that's tired of people blaming the government for everything that goes wrong and don't take responsibility for their own actions."
If you foster the people's blind dependence on a benevolent and secure government, how could you possibly be surprised if they blame that same government when things go wrong? People who take responsibility for their own actions are exactly the same kind of people who question their government and demand its openness. You can't have it both ways.
I certainly agree with your assessment, but I'm not sure I'm comfortable with the idea that a Dubai-based company automatically should not be trusted because the UAE of which Dubai is part are said to have "ties" to terrorism.
The Unabomber was a US-American, for example, and there's many other US-American terrorists. Does that mean I can't trust US-American companies anymore?
Admittedly, one might argue that it's not just about random terrorists who just happen to have "ties" to the UAE by pure coincidence, but it's already getting murky then. Is there any actual proof that there was any official involvement? Or at least, is there reasonable evidence? I don't know enough about it to answer these questions, but I'm certainly not 100% convinced that the answer is "yes" (although I'm not at all convinced that the answer is "no", either).
But even if there *was* proof, I still don't see why a random company based in Dubai would be suspect due to this. The current US administration has arguably been involved in acts that have cost the lives of tens, if not hundreds of thousands, most of them civilians; by the same reasoning, one could now say that companies from the USA should never be trusted.
I strongly suspect that that's what politicians in fascist states like Iran are saying - that the USA are the great satan, that they can't be trusted, and so on. It's a huge mistake to identify the government with the people, though, and I think we should try to not make the same mistake.
In the end, I do think that outsourcing security like that is an (at least a priori) questionable move in terms of security, but I don't think that it matters much whether the company tasked with implementing the whole thing is from the UK or from Dubai.
It all seems more like an example of agenda to me - or rather, an example of why people adhere to agendas. Any company can screw up the security measures it's supposed to implement, be it out of incompetence or malice, but if it happens, the uproar will be much bigger if it turns out that the company was from the UAE - one of the "enemy states" with "ties" to terrorism. I doubt this particular company will keep this particular job for long, simply because those in charge want to cover themselves in case something goes wrong, but I don't see the use in fanning the flames - that's just ensuring that people *will* be worried more about their own agenda than about actual security.
Razor: If you think that government should be taken on faith, you may be an american citizen, but you're not american any more.
My firewall settings are:
* do NAT on outgoing connections, and incoming connections directly related to them (such as the back-and-forth required by FTP)
* accept incoming SSH connections, but rate-limit them if they aren't from my desktop machine at work.
* accept incoming HTTP connections, only from my desktop machine
* reject ident connections
* drop all other packets
If your security precautions are secure, it's okay to disclose them.
Guilt by proxy.
One of the reasons we cannot trust those UAErs is that some of the funding for the 9-11 attacks went through that country. I've heard the same thing about online casinos and offshore banks. Ipso facto, the US Govt must be allowed to control these avenues. Once they have these nasties under their thumb, it will be something else, and something else... One ring to rule them all.
Injudiciously grouping millions of people by label certainly appeals to the basest human instinct. But it is a vestigial social remnant of a long antiquated tribe system. The correct way to implement security is through robust processes. I have to think that at least some of those grandstanding over this issue are aware of this, but prefer to make political hay rather than do the heavy lifting.
"In the end, I do think that outsourcing security like that"
Like this UAE deal?
Not that there mightn't be other reasons why the deal smells to high heaven -- I'm just asking: What element or elements of the necessary security activities (ones that we may or may not be performing today) of our ports have you heard is being potentially outsourced under this deal?
Have I misread anyone here if I've been unable to find mention of anything specific that is a necessary security activity? Not to mention saying the UAE deal in particular would outsource that specific activity.
And yet every fourth person says something that makes it sound like they've assumed that as a precondition of the discussion...
What do you folks think constitutes a necessary security activity at US ports?
Matthew Skala: "drop all other packets"
You block all ICMP? It's hosed. How about path MTU discovery etc.?
I know nothing about these companies in question, but I'd be very careful about outsourcing any critical infrastructure of a country.
I just wanted to point out that there is no analogy.
The word 'Proxy' existed long before people started applying the name to technology.
Well, I'm pleased to report that the Committee on Foreign Investment in the US, which has been criticized for rubber-stamping this ports deal, has taken the wisdom of the infosec community to heart and....
delayed the acquisition of Sourcefire by Checkpoint
has more details, but the gist seems to be that Checkpoint is an Israeli firm.
Is there an inconsistency here, or is it just me?
"I know nothing about these companies in question, but I'd be very careful about outsourcing any critical infrastructure of a country."
I'd be interested to see how they're going to move New York harbout to Dubai.
You don't need ICMP or path MTU to effectively host anything.
Path MTU is hardly used and ICMP not needed. Now in IPV6 is is different.
I asked: "What do you folks think constitutes a necessary security activity at US ports?"
Which must have been some kind of mad talk, becuase that sound you hear is the crickets.
Because we're f*cked. Surely, there was some romance to it?
Huge: I'm sure Bush had already proposed that.. :)
1. It would be racist if we held Dubai Ports World to different standards than the British company. The truth is that we're holding DPW to LESS STRINGENT requirements. We're not requiring them to keep records on American soil, thus allowing access through court order.
2. "DPW is not handling security." This is unvarnished bullcookies, as neither the Coast Guard nor Border Patrol operate on the physical ground of the port. You won't find the Coast Guard at the gates to the terminal, or any of the buildings. It remains a sad reality that we do not have a means of inventory/tracking a container from overseas to here (that is, we have no idea if the 5,000 bobblehead dolls from Pakistan are actually 4,000 bobbleheads and a shipment of arms), nor of ascertaining whether a container has been accessed in transit. Remember news stories of refugees from China and other countries cramming into containers so they could reach America? How is this secure?
3. After the USS Cole bombing, Yemen also positioned themselves as an ally in the fight against terrorism ... yet only recently, the prime suspect in that case escaped from a state-controlled facility with 22 like-minded individuals. Basing the validity of this deal on, "Well, Dubai/UAE are our friends, and we don't want to anger our friends ..." is NOT sound security practice.
4. Our ports are not secure. Handing over primary control and operation to a national-flag carrier, UAE or not, is questionable at best.
5. Security has nothing to do with the employees in place at these ports. They don't inventory or inspect containers, they move them off a ship and onto a train car or big rig.
I can't believe the unvarnished racism (and it is racism, as it's anti-Arab comment) that's being posted here. Sweeping generalisations seem to be the order of the day for the bigots. Just because two of the 911 terrorists came from the UAE does that make all Emiratis evil? Of course not but don't let reason get in the way of a good fascist rant.
The "wired money" argument is flawed as the money was also wired into the US. I guess the US should be excluded from running its own ports too if the same standards are applied.
If some Americans think foreign investment is bad then I suggest you recall all your fast food outlets from other countries as they have probably killed more people through obesity and coronary problems than the 911 terrorists did.
Bruce, would you please explain what you mean when yoiu state that secuirty will be surrendered to a Dubai-based company or are you talking--to quote the WSJ--alarmist nonsense?
"Does it make sense to surrender management, including security, of six U.S. ports to a Dubai-based company? "
WSJ (Wednesday, February 22, 2006): "Besides, the notion that the Bush Administration is farming out port "security" to hostile Arab nations is alarmist nonsense. Dubai Ports World would be managing the commercial activities of these U.S. ports, not securing them. There's a difference. Port security falls to Coast Guard and U.S. Customs officials. "Nothing changes with respect to security under the contract," Defense Secretary Donald Rumsfeld said yesterday. "The Coast Guard is in charge of security, not the corporation.""
It's pretty clear that if I can choose the employees working at the dock, in whatever form (even around union rules and such), I will have an easier time getting around the security there. The WSJ editorial is just repeating the white house spin on this, which is (as political spin usually is) fairly silly.
But I agree with Bruce that the larger issue isn't this particular deal, it's that security decisions in general aren't being handled in a way that gives much confidence. Was this a completely reasonable deal? Was allowing it a bribe for support in some other area from the UAE? Was the deal approved because the UAE government greased the right palms? More transparency would probably help here.
A more fundamental improvement would be some evidence that the people making national security decisions against the terrorists were mostly smarter than the ones making the decisions I can actually observe. We can't seem most of those decisions, and often that's for good reasons. But the ones we encounter day to day--airport security, the invasion and occupation of Iraq, the changes in threat levels for reasons that have sometimes looked suspiciously political--don't inspire confidence. Similarly, I hope the government has a good plan in place for dealing with a terrorist nuke or dirty bomb, but what I've seen of a Federal response to a crisis of that scale so far was the incompetent handling of Katrina.
So what happens when American ships, including US naval vessels, dock at the many other world ports that will be controlled by DP World, no matter what the US decides regarding the six US ports in question? Better stay at home and get in the backyard bunker. It's dangerous out there, don't you know? Ignorance breeds fear. And let's face it, when it come to other countries and peoples, Americans are notoriously ignorant. Easy pickings for vote-hungry Washington pols, even if their hysterical ravings cost us real security.
How fear is controlling US thinking, Ronald Brownstein
"The dispiriting drumbeat of these events - punctuated by the savage sectarian violence convulsing Iraq - are causing even temperate voices to wonder if the world is really careening into some fundamental clash of civilisations. It's easy to predict the impact if the US decides it does not trust a company owned by even an ostensibly friendly Arab government to operate facilities at US ports. Many in the Islamic world would surely take that as a sign that America sees itself in a clash of civilisations, - and in that interpretation, the Islamic world might well be correct. Stephen Walt, a professor of international relations at Harvard University's Kennedy School of Government, says the Western and Islamic worlds increasingly appear trapped in a "conflict spiral . . . that is hard to unwind". By Bush's own logic in Iraq, the Dubai port deal is suspect. But Congress needs to think carefully about whether the deal's potential risk justifies the clear danger of twisting that spiral a notch higher."
Harboring prejudice and politics: The ‘Dubai ports’ debate, James Zogby
"If this anti-UAE campaign succeeds, there is no public diplomacy campaign that can salvage the damage. Arabs, you see — not unlike any other people — react not by what you say about yourself but by how you treat them. Having said all this, the current exercise in Arab-bashing is, in fact, nothing more than election year politicking at its worst with Democrats feeling that Bush is vulnerable and piling on, and Republicans feeling vulnerable and joining the fray. If it weren't so serious and dangerous, it might be comical. We've seen scenes like this before, as Congressmen and Senators literally trip over each other, risking injury on their way to the microphone, calculating just how outrageous they need to be to guarantee that their sound bite will be the one on the evening news. In this game, facts don't matter. Instead, hyperventilating on their own rhetoric, exaggerations abound."
I agree with you on your points about lack of confidence. However, management by UAE or British companies doesn't make the ports insecure. The issue with insecurity at US ports is that the security is being managed by Americans. Not much has been spent on securing US ports (relative to airports--not that that means much) and what has been spent has often been spent badly. Pointing the finger at DP World and screaming hysterically just makes American look stupid.
I'm not apologizing for Bush either. I don't disagree with him on this one for once (although suspect the P&O and DP World deal was more an awkward fait accompli for him) but amusing that he's getting done in by the politics of fear that he himself has used so effectively. Live by the sword; die by the sword.
This may be completely beside the point, but does anyone here have any idea if there are ports in the US that are currently secured by foreign governements? I'm relatively new to this subject, so I feel a little behind. Bush seemed to act like this was nothing out of the ordinary. Could this already be the case at many US ports, and we just haven't been made aware of it? No media outlet seems to have answered this question, and it just keeps popping up in my mind.
I agree that our government should not reveal any security protocol. However, I think that we the people are do some explanation.
I mean after the 9/11 attacks we were fed alot of garbage about "a determined enemy". The same enemy that we are giving the keys to our front door. We forfeited many civil liberties under the so-called patriot act and the 9/11 security commission.
We did so because we wanted nothing more than to avoid a similar attack. We even re-elected this administration because it convinced us that it was "resolute" about U.S. security.
Please read this article "Paying for Terror" and its related links in the UsNews Issue of 12/05/05.
Rupal's link http://www.usnews.com/usnews/news/articles/... (click on my site) ; Summary: the DEA is feeling left out of the funding for anti-terrorist actions and wants to have the war-on-drugs redefined to be a valuable part of the war-on-terror in order to improve its funding chances in future budget rounds.
If left up to the gov't, security isn't a priority until there is some political gain to be had. If left to a corporation, security isn't a priority until there is money to be lost.
The problem here is that those looking for political gain are trying to confuse the issue by making the public think that this foreign corporation would be responsible for security. It's likely that Dubai would take extra precautions... to avoid losing money AND becoming a scapegoat.
Security at our Sea Ports is not the primary issue! The crux of the issue is, why are we relying on outside entities for crucial Internal Operations?
Who currently ownes these ports as of March 21, 2006? im doing a speech report on this and cant find info on who actually has the control of our ports right now.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.