CYA Security

Since 9/11, we've spent hundreds of billions of dollars defending ourselves from terrorist attacks. Stories about the ineffectiveness of many of these security measures are common, but less so are discussions of why they are so ineffective. In short: much of our country's counterterrorism security spending is not designed to protect us from the terrorists, but instead to protect our public officials from criticism when another attack occurs.

Boston, January 31: As part of a guerilla marketing campaign, a series of amateur-looking blinking signs depicting characters in the Aqua Teen Hunger Force, a show on the Cartoon Network, were placed on bridges, near a medical center, underneath an interstate highway, and in other crowded public places.

Police mistook these signs for bombs and shut down parts of the city, eventually spending over $1M sorting it out. Authorities blasted the stunt as a terrorist hoax, while others ridiculed the Boston authorities for overreacting. Almost no one looked beyond the finger pointing and jeering to discuss exactly why the Boston authorities overreacted so badly. They overreacted because the signs were weird.

If someone left a backpack full of explosives in a crowded movie theater, or detonated a truck bomb in the middle of a tunnel, no one would demand to know why the police hadn't noticed it beforehand. But if a weird device with blinking lights and wires turned out to be a bomb -- what every movie bomb looks like -- there would be inquiries and demands for resignations. It took the police two weeks to notice the Mooninite blinkies, but once they did, they overreacted because their jobs were at stake.

This is "Cover Your Ass" security, and unfortunately it's very common.

Airplane security seems to forever be looking backwards. Pre-9/11, it was bombs, guns, and knives. Then it was small blades and box cutters. Richard Reid tried to blow up a plane, and suddenly we all have to take off our shoes. And after last summer's liquid plot, we're stuck with a series of nonsensical bans on liquids and gels.

Once you think about this in terms of CYA, it starts to make sense. The TSA wants to be sure that if there's another airplane terrorist attack, it's not held responsible for letting it slip through. One year ago, no one could blame the TSA for not detecting liquids. But since everything seems obvious in hindsight, it's basic job preservation to defend against what the terrorists tried last time.

We saw this kind of CYA security when Boston and New York randomly checked bags on the subways after the London bombing, or when buildings started sprouting concrete barriers after the Oklahoma City bombing. We also see it in ineffective attempts to detect nuclear bombs; authorities employ CYA security against the media-driven threat so they can say "we tried."

At the same time, we're ignoring threat possibilities that don't make the news as much -- against chemical plants, for example. But if there were ever an attack, that would change quickly.

CYA also explains the TSA's inability to take anyone off the no-fly list, no matter how innocent. No one is willing to risk his career on removing someone from the no-fly list who might -- no matter how remote the possibility -- turn out to be the next terrorist mastermind.

Another form of CYA security is the overly specific countermeasures we see during big events like the Olympics and the Oscars, or in protecting small towns. In all those cases, those in charge of the specific security don't dare return the money with a message "use this for more effective general countermeasures." If they were wrong and something happened, they'd lose their jobs.

And finally, we're seeing CYA security on the national level, from our politicians. We might be better off as a nation funding intelligence gathering and Arabic translators, but it's a better re-election strategy to fund something visible but ineffective, like a national ID card or a wall between the U.S. and Mexico.

Securing our nation from threats that are weird, threats that either happened before or captured the media's imagination, and overly specific threats are all examples of CYA security. It happens not because the authorities involved -- the Boston police, the TSA, and so on -- are not competent, or not doing their job. It happens because there isn't sufficient national oversight, planning, and coordination.

People and organizations respond to incentives. We can't expect the Boston police, the TSA, the guy who runs security for the Oscars, or local public officials to balance their own security needs against the security of the nation. They're all going to respond to the particular incentives imposed from above. What we need is a coherent antiterrorism policy at the national level: one based on real threat assessments, instead of fear-mongering, re-election strategies, or pork-barrel politics.

Sadly, though, there might not be a solution. All the money is in fear-mongering, re-election strategies, and pork-barrel politics. And, like so many things, security follows the money.

This essay originally appeared on Wired.com.

EDITED TO ADD (2/23): Interesting commentary, and a Slashdot thread.

Posted on February 22, 2007 at 5:52 AM • 84 Comments

Comments

WitchDrFebruary 22, 2007 6:53 AM

Bruce, I agree a lot of security stuff is "theater" but why is it that you say "We might be better off as a nation funding intelligence gathering and Arabic translators" but when we do this, you and others scream about how program X is a blatant violation of rights, etc. etc.

billswiftFebruary 22, 2007 7:14 AM

"Mass surveillance" is a blatant violation of civil rights on a massive scale. As well as being a waste of time, money, and attention.
"Intelligence gathering" is looking at specific risks and threats, not fishing.

Mike SherwoodFebruary 22, 2007 7:30 AM

I suspect that most security organizations are similar to IT organizations in that they will naturally migrate towards being ineffective.

The idea is that a well run IT group keeps things going and all that the end users know is that stuff works. Whether it works because the people are smart and do a good job or because the infrastructure is good and the people don't have to do anything look exactly the same to management. Therefore a well run IT group will get its budget cut because there is a perceived opportunity to save money since the group isn't needed in a visable manner to the budgeting people.

On the contrary, a poorly run IT group will be at people's desks every day responding to problems that wouldn't exist if they implemented common infrastructure components. This creates the impression on management that the group is well run because there is a visable impact when problems arise and these people come out to address the problems.

The result of this is that people who are incompetant are more likely to get increased budgets while the competant people are let go. This creates an environment where everyone is constantly putting out fires and that is considered a good thing because it's visable.

This seems to be what happens with any large organization with regards to IT or security. If your security is good, you don't get to claim that your department needs more money because you found 500 systems compromised this month. If you took preventative measures to avoid those compromises, you get to claim you did your job, which is not very impressive when rendered into a powerpoint presentation.

Since large organizations encourage the empire building mentality, the only way to succeed is to increase staff and spending. The easiest way to increase staff is to hire low cost chair warmers. Coincidentally, this also increases spending while not necessarily helping security in any way. The goal can be to keep things barely running and hire the people who are barely capable of doing that so that it will appear to work most of the time, but whenever the system is stressed, will provide justification for further empire building.

Since the senior leadership gets into their position through the empire building process, it seems that there is no way to introduce a philosophy of doing more than the bare minimum at a level that can affect change.

In a small organization where everyone knows each other and knows who they can trust, it's easy to encourage smart behaviors since the alternative is to go out of business. However, I don't see a viable path for getting this into large organizations like governments.

ZwackFebruary 22, 2007 7:43 AM

billswift has it exactly right.

There is a difference between "intelligence gathering" and "mass surveillance".

Intelligence gathering should be targeted, and that would make it limited. There is no point in listening to a phone conversation between my wife and I about what to eat for dinner just because a terrorist ate dinner at some point in his life.

The idea seems to be that we can use Data mining techniques on a massive database of information about everyone and spot the terrorists. Just because a terrorist ate at a particular restaurant doesn't make everyone who has ever eaten there a terrorist.

Data mining, as far as I can tell, is effective in giving you broad correlations that might be useful if you are trying to predict behaviour en masse. For example, a supermarket might be interested that 75% of people who bought cookies also bought milk. They might then be able to tie special offers together or suggest to the other 25% that milk goes well with cookies.

However Terrorists are such a small percentage of the population that statistical correlations are less likely to be valid. A given IRA terrorist might have a lot more behaviours in common with other Irish people than with a member of the Tamil Tigers, or the Red Army Faction. All three are terrorists, but no generalisation would tie all three together.

Focussed intelligence gathering would work with the fact that a known terrorist ate at a particular restaurant, and try to expand on that. They might have surveillance of the restaurant to see if he met someone there. They might look at who else visited the same restaurant in a similar pattern, but they wouldn't just start investigating everyone who had ever eaten there.

Investigate me if you have a reason to think that I might be tied to terrorism but stop as soon as I am cleared. But don't listen to everyone's phone calls, and read all of their mail in case they happen to say "I am a terrorist". Blanket surveillance is more likely to overwhelm the watchers and they will miss the subtle clues as a result.

Z.

rfunkFebruary 22, 2007 7:44 AM

The people pushing a national ID card and a wall across the Mexico border aren't really worried about terrorism; that's just an excuse to get more political support. Their main focus is anti-immigration.

Robert the RedFebruary 22, 2007 8:03 AM

"we're stuck with a series of nonsensical bans on liquids and gels"

Generally, I agree with TSA Potemkin security bashing. But banning large amounts of liquids makes sense to me, and has for several years. A person could carry on 3 bottles of "wine" that are really highly flammable liquid. Setting a fire that would be hard to put out on a trans-oceanic flight (where there is no place for a quick landing) is a plausible way for a single person to bring down a jumbo jet. A somehwat horrible way to commit suicide, granted, compared to a quick bomb or a quick crash.

Carrying on highly flammable liquids is illegal and has been for a long time, but how is it practical to tell what's in every sealed bottle of liquor that goes on a plane?

Of course, a would-be self-frying terrorist could still put the liquid in bags strapped to his thighs and stomach, and hope he's not patted down.

How many other ways can a single person (or two) plausibly act to bring down a plane in the current security environment? Morbid speculation.

gregFebruary 22, 2007 8:21 AM

@Robert the Red

I can still take a laptop onto a plane. Li burns rather well even under water. All i have to do is crack the bat into the toilet.

Oh then theres Mg and Al or even a mixture of Al and Fe2O3...And onld fashion Ti burns well in just nirtogen at a bit over 400 deg. The list of flamable and or explosive solids is rather long.

Banning liquids is just plain stupid. Its about a faluire to admit that you can't be totaly secure and you can't protect agaist all attacks.

To answer your last question there are 10000000 of ways. However Suicide bombers are in fact very very very rare and the ones that will do it have a tendancy of being a little stupid. Fortunatly.

Mike SherwoodFebruary 22, 2007 8:21 AM

@Zwack

I am suspicious of data mining as an approach to something as specific as intelligence gathering. It seems like it's based on the presumption that correlation==causation and that whatever data points you have will prove that to be true. It's pretty easy to come up with a solid approach when the conclusion is the premise, it's just not likely to be accurate.

This is exactly what our group where I work does. We build databases of all sorts of information on people from numerous sources and try to determine which ones we should offer credit cards to. We aim for a 1% response rate and spend a lot of time and money trying to get anywhere near that. Seeing how difficult it is to identify something as common as consumers who want credit, I can't imagine this approach working for anything meaningful.

Your example about different factions is a good point about how much they have in common with each other. I would expand on that by suggesting that in their philosophy, they are freedom fighters, not terrorists. There actions are based on their beliefs, not based on what we believe them to be. Therefore, I would not be surprised if correlations grouped several people with similar methodologies together, like terrorist/secret service agent/undercover agent/informant/paranoid security guy.

The problem with your idea of when they should stop investigating you is that the CYA security philosophy is afraid of closing an investigation because there's a rare chance that you might do something later. If you do something later and they say they have an open investigation on you and were not able to spend enough time on the case, it gets them an increased budget later. It doesn't matter to them if this only happens every 10,000th case because it's a CYA measure.

RobertFebruary 22, 2007 8:28 AM

And CYA security is why you will never see the DHS "Terror Threat Level" go below Yellow ( Elevated ).

SpiderFebruary 22, 2007 8:44 AM

In general, I agree with Bruce, but there is a fine line between CYA security and COCA ( cover our collective asses) security. There are people who have become so paranoid after sept 11 that they really think that they are protecting the country by reporting strange blinking lights or calling the fbi to check into the arab looking neighbor that seems like he's trying too hard to "blend in". I think there is an equal mixture of genuine CYA , and irrational fear leading to stupid decisions about where the money goes. Sure the liquid ban does little to actually prevent terrorist events, but the government needs to reassure the public. A little security theater, as Bruce has pointed out, is sometimes a good thing.

arlFebruary 22, 2007 8:50 AM

Is it CYA or just caution due to the normal cycle of copycat actions? It happens.

As for the Boston thing, what does a bomb look like? We had a State Trooper killed by a bomb in a microwave oven that was in a car. You either profile for stereotypes or you look for things out of the ordinary. You can't have a lot of both.

TimFebruary 22, 2007 8:54 AM

I agree entirely. Rather than `CYA' I've thought the exact same things but with the context of `reactive'. The nature of "protection" from the powers-that-be is:
a) places are only worth protecting after one of their kind has been attacked (eg an airport, tall tower financial buildings, railway station/system);
b) times follow the Western calendar for significance - bank-holidays and christmas etc.

Notably the nature of terrorist attacks is:
a) pick a place to maximize chaos, one that you've not hit before
b) no particular significance to the timing.

Is it any wonder I think the US & UK governments are going after completely the wrong things?

John R.February 22, 2007 8:55 AM

rfunk,

I'm against illegal immigration. I'm for legal immigration. My question, as a Republican, is why did the Republicans pass national id legislation (REAL ID), but never did anything to stem the tide of illegal immigrants at the border?

They did nothing, but they want to book me like a criminal.

When the Republicans did this, I thought, "They're betraying us."

The point is--is anyone wiling to do the hard work and make the tough choices to stop illegal immigration and/or terrorism rather than sell out our freedoms?

I think Schneier is right. It's all about their personal reputations than what's best for the country.

KevinFebruary 22, 2007 9:10 AM

I call it the "Three Stooges Model" of security...

Moe punches Curly in the face, Curly covers his face.

Moe then punches Curly in the stomach, and Curly covers his stomach.

Repeat until beaten black and blue.

guvnrFebruary 22, 2007 9:16 AM

there's a connection between John R.'s last two paragraphs although it's not obvious.

Elected officials *can't* do the hard work and make the tough decisions without consensus and broad political support, and those depend on reputation and public perception, which in part are based on what Schneier calls security theater.

So many people are quick to criticize and attack decisions and positions that political clout is fragile even when carefully protected, so of course officials take the most cautious approach.

Here's a couple of questions: could a bomb be constructed to look like one of those Moonite ad devices? If so (as I believe) would a public safety official be doing their job to dismiss the potential risk that it might be a terrorist plot? Or would their obligation to serve the public require them to take the most cautious approach to handling the situation?

RoyFebruary 22, 2007 9:17 AM

Essentially, this 'security' is simply counterfeiting. It pretends to do useful things, but it doesn't. Still it bills us for the fake services, and we taxpayers pay the bill with their guns at our heads.

VonFebruary 22, 2007 9:20 AM

I agree CYA is a real problem and until we have a real, intelligent form for discussing risk assessment - especially after an incident, it's not going to get any better. I can see the media interview now - Guy responsible for security after bad thing X happens: "I decided the risk from X was only 1% and Y 5% so I focused more effort on Y." Media: "Well, obviously you were wrong since X happened, right?"

Frank Ch. EiglerFebruary 22, 2007 9:21 AM

Of course some security is "backward looking". It is stupid to hold against security officials the mere practice of screening against recently attempted/successful plausible forms of attack. The good ones will of course do _more_, but less? Come on.

That's like continuing to run last decade's in.telnetd and in.rlogind, because after all that attack has already happened. Oops.
http://blogs.securiteam.com/index.php/archives/...

DavidFebruary 22, 2007 9:30 AM

A few comments.

The ban on guns on aircraft was a good idea. It is much easier to subdue a hijacker with a knife than a gun. As far as I can tell, airline security was good on September 11, 2001, and that level would have been perfectly adequate.

@Robert the Red:
If knives were banned earlier, then wine bottles should have been. This has nothing to do with liquid explosives or incendiaries (since there's lots of other ways to blow up or torch a plane), but rather the container. It makes no sense to ban knives when a terrorist can simply carry on a glass bottle. Break such a bottle and you've got a weapon more dangerous than a box cutter.

@John R.
The problem with cracking down on illegal immigration is that illegal immigrants are very profitable for US businesses. They don't have to be paid legal minimum wages and benefits, and they don't have to be treated legally. Since the current administration is very pro-business (in the sense of supporting existing businesses, not necessarily in fostering a good business climate), the administration has reasons not to crack down on illegal immigration. There are sound political reasons to waste money on known ineffective ways to stop illegal immigration, though.

Follow the money. Who benefits from illegal immigration? Are any of the beneficiaries politically powerful?

John R.February 22, 2007 10:08 AM

David,

The ironic thing to me is that in several ways, the illegal immigrants have more freedom than American citizens.

BoA's willingness to extend credit to illegal immigrants makes me wonder, "Why can't I bank in my own country without being profiled, SSNumbered to death, "Know Your Customer" type stuff...etc.

Its all kind of strange, isnt' it...


JeremyFebruary 22, 2007 11:05 AM

So with all the problems of CYA security, how do we fix it? We seemed to have nailed down exactly what is wrong fairly well, and we seem to know the correct measures to implement, so how do we get them implemented?

Bruce mentions in the article that the security follows the money, and the money comes from many of the wrong things. How do we change them to be the right things? If we can't, why not?

AndrewFebruary 22, 2007 11:10 AM

>> The ironic thing to me is that in several ways, the illegal immigrants have more freedom than American citizens.

I'm not going to change your mind on this, but just let me ask . . . are you speaking of the freedom to go to jail if stopped by police, the freedom to watch your sick child suffer because you're afraid to take them to the hospital for fear of losing them, or the freedom to work sixteen hours a day at sub-minimum wages for abusive employers?

>> BoA's willingness to extend credit to illegal immigrants makes me wonder, "Why can't I bank in my own country without being profiled, SSNumbered to death, "Know Your Customer" type stuff...etc.

Illegals typically live on cash, are highly motivated to stay out of any kind of legal trouble, and rarely if ever complain to regulatory agencies. The ID situation is improving and BoA specializes in underserved populations.

What's not to extend credit to?

>> Its all kind of strange, isnt' it...

I agree that illegal immigration is a distressing trend. We create a class of not-quite-legal people and special if randomly enforced regulations to control them. Better to regularize their status so that terrorists have no sea of illegal people to hide in. Lots more effective than a National ID Card.

Is this a security issue? Twice over. Population control on the one hand, and counterterrorism on the other.

Jeremiah BlatzFebruary 22, 2007 11:32 AM

I read something the other day (forgot where) that made the whole TSA idiocy thing click in my head. Someone wrote that when there's an airline accident, the FAA finds out exactly went wrong and institutes rules to make sure that it never happens again. This makes great sense when you have a highly reliable system and your (rare) problems have non-malicious causes. Air travel is so safe that finding potential accidents is really hard.

This gives a possible explanation of why the TSA airline regulations are so boneheaded. It's not so much that the people who devise them are stupid, it's that they're stuck in the wrong mental model: accident prevention rather than counterterrorism. If I was inclined to have a magnanimous view of the TSA, I'd say that the airline rules were written by a bunch of air travel safety folks who are doing their best, rather than a bunch of disingenuous apparatchiks that are covering their asses.

jFebruary 22, 2007 11:35 AM

Tim: "Is it any wonder I think the US & UK governments are going after completely the wrong things?"

The UK seems to be following Bruce's advice more than the US; by applying effort to intelligence gathering, they seem to be stopping some pretty nasty plots before they get anywhere. The UK got the liquid explosive bombers, the US got a ban on liquids.

Geo. WashingtonFebruary 22, 2007 12:00 PM

@Mike Sherwood:
> In a small organization where everyone
> knows each other and knows who they can
> trust, it's easy to encourage smart behaviors
> since the alternative is to go out of business.
> However, I don't see a viable path for getting
> this into large organizations like governments.

The US "Founding Fathers" understood this principle well, and that's one of the reasons why the powers delegated to the national government were so limited, and precisely enumerated. What can be handled effectively, locally, should be handled locally.

Internal security is just one of many special cases.

Stephan SamuelFebruary 22, 2007 12:12 PM

For a country full of God-believers, America is very scared of death. Unfortunately, some number of thousands of people will be killed annually in terrorist attacks. It's smaller than the number who will be killed by heart disease, AIDS, or car wrecks. The number of public service workers killed by terrorists (police, firefighters, military, etc.) will unfortunately be larger. Making me take my shoes off at the airport and not carry my shaving cream in my carry-on won't ever change this.

Once I realize that, I don't blame the TSA, my mayor and governor, or George W Bush for it. I've moved on and I know my chances. I'm at peace with God and with the world, even if it's always not at peace with me. I'd hate to die, but I know I can optimize my chances by spending less time in a car going 65 mph or faster and eating fewer fatty and processed foods.

Incidentally, it also leads to a good point by Mike Sherwood: they're freedom fighters, not terrorists. As long as we deny them the right to be heard, they'll try harder (i.e. -- try to "terrorize") to be heard. Give terrorist leaders a seat at world summits, let their grievances be heard, and maybe the incidence of terrorism will be lower.

HerbFebruary 22, 2007 12:23 PM

I agree that most of the examples given above (random bag searches, fluid bans etc) are examples of over-reactions. However, I still haven't heard a good explanation of why Boston officials overreacted that doesn't come down to "of course they over-reacted because it obviously wasn't a bomb."

Let's put it this way - a municipal worker phones in and says "hey, I spotted a device on a bridge that wasn't there yesterday." What is the proper response? (Keep in mind, anything involving a manlift or ladder is going to require traffic to be slowed down or stopped for the worker's safety).

Geoff LaneFebruary 22, 2007 12:36 PM

The problem with successful security is... nothing happens.

The problem with unsuccessful security is...
nothing happens for a long time.

In the short term, good and bad security look identical; and in any case most people just don't have the necessary background to tell the difference.

We do know from history that generals tend to prepare for and fight the previous war. Once you've bought the battleship with 18 inch guns it's difficult to say to government that they've wasted the money.

The next major terrorist outrage will be against a target that nobody anticipated.

Begin Movie Plot

A mall is a great target. All you need is to rent a shop and one day take delivery of a truck full of explosive; set up in the shop and wait for the Saturday crowds.

End Movie Plot.

Durable AlloyFebruary 22, 2007 12:40 PM

@John R

Oh, really? Then why didn't the Republican Congress pass the SKIL Bill, and instead approved funding for the border fence?

Republican lawmakers are guilty not just of ineffectiveness, but also of hypocrisy.

Pat CahalanFebruary 22, 2007 12:42 PM

@ Mike Sherwood

> The idea is that a well run IT group keeps things going and all that
> the end users know is that stuff works.

[snip]

> Therefore a well run IT group will get its budget cut because there
> is a perceived opportunity to save money since the group isn't needed
>in a visable manner to the budgeting people.

You've fallen victim to one of the classic blunders!

Kidding aside, you don't define "a well-run IT department". Implicit in your description is "well-run" == "technically apt", but "well-run" > "managed from a business perspective".

I agree, technically apt IT departments don't have the same "in your face" presence that poorly run IT departments have, and this can lead to precisely the disjoin that you note here -> departments are "rewarded" for poor performance.

But, this is often because people managing IT departments are IT people. They often don't have business skills, don't speak business talk, and are poor diplomatic animals outside their collection of geeks. Anyone who knows how to do a basic business analysis and is willing to put on a tie (or at least a nice jacket) and stand up and show numbers can demonstrate graphically and compellingly how a (technically) well run IT department represents a huge ROI and lower TCO to an organization.

So, in a very real way, they aren't "well-run" IT departments. They might be high-performing, but managing an IT department is primarily a business-oriented job, not a technical one.

If you're not willing to defend your IT department's budget using the weapons and tactics of the business world and put time into crunching numbers, you have no business running an IT department.

JimFebruary 22, 2007 12:58 PM

CYA security is not broken. It's akin to debugging a program. Fix the one that crashes the program, then proceed to the next one. The entire CYA Security theory implies the only form of action the government (DHS, FBI, CIA, NSA, etc.) performs is retroactive, which is an entirely myopic mainstream media generated notion.

derfFebruary 22, 2007 2:03 PM

Awww, c'mon! You can't argue with success...(or can you?)

You have to admit that the TSA has successfully prevented toddlers and senior citizens from bringing down a plane.

Boston officials successfully defused each of the Aqua Teen Hunger Force bombs before anyone was hurt.

New York and Bostonian transit officials successfully defended against copycat London subway bombers.

The only way to show the incompetence in a meaningful manner that might have a chance of bringing about change would have to be catastrophic and highly illegal. Official airport testing has shown the TSA to be completely useless. Amateurs periodically successfully penetrate TSA defenses, get their 15 minutes of fame in the press, and are very quietly disposed of. Neither of these have caused any changes to be made to the useless systems or inadequate emergency planning in place.

Pass A Broad Law!February 22, 2007 2:35 PM

"It happens because there isn't sufficient national oversight, planning, and coordination.

"What we need is a coherent antiterrorism policy at the national level."

You bet, Bruce! Centralized planning! That'll cure our ills! No matter that they've been CREATED by centralized planning. What we need to fix it, is....MORE CENTRALIZED PLANNING! (Where have we heard this before?)

Bruce adduces reasons in his arguments like a fullback at a 1970's Rosebowl: he'll blast right through for yards 1, 2 and 3, (making lucid, cogent points 1, 2 and 3), but then when he's about to break free for a touchdown, he fumbles, and retreats to the leftist-liberal platitude of "what we need to solve problems created by public officials is....more involvement by public officials!" The irony (tragic) lies in the fact that he's only inches away from where his thinking is leading him. (Hint: the Cold War is over. What is the main reason why?)

HarryFebruary 22, 2007 3:15 PM

Organizations, like people, respond to incentives. With the current focus on assigning blame - "OMG, with perfect foreknowledge this might have been prevented!" - and gotcha-ing, of course organizations are going to cover their behinds.

In other words, we made the bed and now we have to lie in it. If we want it to change we have to make a new bed.

NASA is a reasonable example of accepting risks. NASA officials say, in public and on camera, that space flight is risky and if we want to do X we have to risk Y. The US needs more of that.

Frank Ch. EiglerFebruary 22, 2007 3:43 PM

@David:

> As far as I can tell, airline security was good
> on September 11, 2001, and that level would
> have been perfectly adequate.

How strange, I seem to recall a wildly successful breach of airline security on or near that date.

observerFebruary 22, 2007 3:49 PM

Bruce,

It seems like the common theme of so many of your terrorism and security articles is "here's what they're doing wrong" or "why we're screwed" or "consolation of the masses is not a security issue, only serious-minded responses that make engineers happy are important."

There's just one problem. A high paid expert is fairly useless if he can't advance his own arguments. While you sit in a chair and expect it all to change, by making broadside attacks, you have demonstrated very little ability to outline proactive security strategies yourself. It's all about "don't do this" or "don't do that." Okay, what *do* you recommend?

Are you really a professional security thinker, or just a professional critic?

Let's hear it.

RalphFebruary 22, 2007 3:55 PM

I vote for the stupid WALL BETWEEN USA AND MEXICO.

There's a piece of solid bricks and mortar "security" to make you proud.

K. Signal EingangFebruary 22, 2007 4:08 PM

@Kevin

Your "Three Stooges Security Model" is a perfect metaphor. You should send that one to the Daily Show. I'm seeing a deadpan dissection of the TSA security philosophy complete with slow-mo replay and Madden-style Xes and arrows already.

Course they'll have to wait until TSA makes up some new dumb rule before they can use it. Two, three weeks tops.

Ctrl-Alt-DelFebruary 22, 2007 4:37 PM

@ Stephan Samuel,

"Give terrorist leaders a seat at world summits, let their grievances be heard, and maybe the incidence of terrorism will be lower."

You may temporarily appease some groups of terrorists that way, but there are *always* more crazies out there. Once terrorism is established as an effective route to the summit, the number of people taking that route will multiply. Having gained a seat at the table through terrorism, will they set it aside once there? From their viewpoint is a seat at the table is worthless unless it advances their cause. Terrorism would still be a powerful bargaining chip - but only if they demonstrate they're willing to use it. So they'd still commit terrorist acts.

By analogy, if murder was decriminalised, the crime of murder would be eliminated. An excellent outcome! But would it lead to a reduction of the number of people being killed in ways that would once have been defined as "murder"? Doubtful.

mozFebruary 22, 2007 5:11 PM

@observer which part of "We mght be better off as a nation funding intelligence gathering and Arabic translators" is unclear? There's also a pretty clear theme to Bruce's past comments: basic Police / intelligence agency work and people on the ground. Don't invest in technology; invest in good people.

I guess part of the problem with this is that it's easy to say and (relatively) easy to implement so it doesn't really lend its self to grand schemes and press releases.

@Herb

Few people are complaining about the reaction to the first device by the first people to see it. If you see something new in an area you are responsible for and you don't know what it is it's a good thing to ask someone. It's a good thing also to investigate such a thing. What's stupid is a) the trained investigators overreacting to a device which isn't a bomb (their job is to identify bombs) b) having verified that it isn't a bomb, them continuing to overreact by treating subsequent discoveries of the same device as a bomb c) having realised that they _mistook_ an innocent device for a bomb, overreacting to the trigger of their own _mistake_ by screaming in the media. d) having made a big fuss in the media, overreacting to criticism by starting and continuing legal processes against the people who committed no crime more serious than littering.

apart from that, I can't see major way they overreacted.

Stephan SamuelFebruary 22, 2007 5:45 PM

@Ctrl-Alt-Del,

Your analogy is incorrect. I'm not advocating legalization of terrorism, whatever that means. I'm advocating giving recognized leaders a voice among other leaders. The correct analogy would be sitting down someone who's killed in self defense and asking them what would need to happen for them not to need to do it again. Naturally, you need to listen to the answer and make a fair attempt to work with them. Note that, "work with them," doesn't mean, "give them everything they want."

Your guess that we'd only temporarily appease terrorists is just that: a guess. Granted, there are crazy people who will always want to kill people, but most freedom-fighting groups want freedom (or a similar goal), not just to kill people.

Case in point: look for "list of unrecognized countries" in Wikipedia. Granted, Wikipedia isn't always factually correct, but there's a definite trend that most of the countries on the list spur violence, terrorism, war, and guerillas. Some of that violence may stop if we stopped to ask why they're fighting and listened to the answer.

UNTERFebruary 22, 2007 5:46 PM

There's plenty of blame going around, but I don't see one actor: The American People. Not as individuals, but as a society. CYA is rampant from top to bottom, it's become culturally ingrained. For some reason, our judgment has become faulty, our information lacking, and our response lackadaisical.

A lack of sense of responsibility for our actions leads to CYA'ism, which comes from a lack of a sense of community. Now, I can't judge easily whether this is a new phenomenon, but the impression I get from Depression-era folks is of a different mindset. For example, older business owners have a sense of patronage toward their employees, while younger CEO see their employees as "human resources," interchangeable, objectified units no different than chairs.

Fifty years ago, there actually existed fairly democratic social institutions for forming culture and norm, for judging local behavior, such as the Masons, Elks, etc. All of those are gone, and all we have left are the rigidly dogmatic churches on one end, and the televised spectacles of Brittany Spears on the other. With such an atomized society, how can any one expect anything other than CYA in all our endeavors, and bureaucratic intransigence in our organizations?

DavidFebruary 22, 2007 5:51 PM

@Frank Ch. Eiger

Sure, there was a major security issue on September 11, 2001, but it was not due to faulty airport security, but rather to the standard response to aircraft hijacking. That response was spontaneously altered before the day was out, and that made that particular form of attack impossible.

There was no need to ban knives from aircraft, since a few passengers with blankets can take down a knife-wielding terrorist. What was, and is, necessary is to prevent terrorists from carrying guns on airliners. The pre-2001 security was perfectly successful in that (none of the September 11 terrorists carried guns), and would continue to work.

In short, there was absolutely no need to change any airport security measures to prevent a repeat of the September 11 attacks.

JimFebruary 22, 2007 6:57 PM

@David

>
There was no need to ban knives from aircraft, since a few passengers with blankets can take down a knife-wielding terrorist.

is that before or after the knife-wielder kills the pilot?

Frank Ch. EiglerFebruary 22, 2007 7:12 PM

@David That this is

You said "airline security", not "airport security", but either would have been just as wrong. They both failed that day (in different ways), as did other parts of the overall security apparatus. Surely this is not news.

Your evocation of absolutes ("impossible", "absolutely no need", "perfectly successful") is either stunning naivite or laughable rhetoric. Assuming the former, do test your admiration of freely letting knives on by imagining being the only brave blanket-armed person on a plane full of knife-wielding jihadis. "Absolutely impossible" right?

Anon travelerFebruary 22, 2007 8:38 PM

This last weekend my wife and I flew back to Virginia to visit family.
We flew in and out of BWI in Maryland. On the way back I saw something that was reaffirmed after reading your email. The family behind us going through the security screening had a push cart. The ones that you pay $2 or so to use. After they unloaded all of their belongings from it, the security guard just walked it around the checkpoint. Here my wife and I are dumping anything over three ounces, and taking our shoes off. But this cart, which is not controlled 100% of the time, is moved through security without a second look. How hard would it be to modify one of those to hold just about anything.
I would have said something to TSA, but in today's climate I would rather they not take notice of me for any reason.
Thanks for your time, and thank you for blogging. I enjoy it every day.

quincunxFebruary 22, 2007 9:00 PM

@ UNTER

"Fifty years ago, there actually existed fairly democratic social institutions for forming culture and norm, for judging local behavior, such as the Masons, Elks, etc. All of those are gone, and all we have left are the rigidly dogmatic churches on one end, and the televised spectacles of Brittany Spears on the other."

One of the reasons for these social institutions was for insurance purposes. People would band their resources together and be able to afford cheap medical and other services. They worked really well - too well in fact (>99% of all people had health coverage before 1960) - that the government (with the support of the AMA cartel [a previous gov intervention]) had to step in and 'solve' it (being the criminal gang that it is). Why do you think our health industry is so messed up?

The answer to our security problems is the same as for all of our social problems: 100% privatization (i.e. the withering away of the state)

---

There is no such thing as 'national security'. In fact we have never had a national security problem - all problems are local. 9/11 was a NYC/Wash./Penn. security problem. When one gets into collectivist abstractions it becomes very difficult to think clearly.

It is unfortunate that Bruce falls for the 'national security' clap trap (a fantasy as old as civilizations themselves). Either that or he is rent-seeking.

SpannerITWksFebruary 22, 2007 11:31 PM

I wonder how many people have actually got booted out of their jobs for making big errors, or ones that should have been avoided, and/or corruption etc ?

From what i've seen and heard, lots of people are still there, or leave only to be accepted by some other company or org or Gov dept.etc.

Doesn't anyone properly check their FULL backgrounds out before taking them on ? Who are the idiots that continue to employ them, and why are there so many of them obviously in the wrong jobs too. Who employed them ?

How many of these people have been held to account, and been made to pay, and yes with jail time too, and why not. If the message doesn't get through that incompetance won't be tolerated, guess what, on the with the same old just like before. Oh and usually with YOUR tax $, directly and/or indirectly !!!

Wake up people, open the window and shout out loud " I'm mad as hell and i ain't gonna take it anymore "

If you don't complain Loudly, then expect more of the same, and more than likely, even worse, oh yeah, and more of it more often !

Spanner


John DaviesFebruary 23, 2007 3:35 AM

The description of CYA and only looking back is so true. Last week I travelled from the UK to France, in my car, via the channel tunnel. Granted it was 5.30 a.m. but there should have at least been some checks. I'd booked online, checked in via an automated machine, didn't have to show my passport and barely spoke two words to the guy who pointed me to the line to queue in. I could easily have loaded half a ton of explosives into my car and caused absolute mayhem.

This comes not so long after there was a minor stink in the UK about terrorist suspects skipping the country.

Plus ca change ...

Colossal SquidFebruary 23, 2007 5:21 AM

Quoting J upthread:
"The UK seems to be following Bruce's advice more than the US; by applying effort to intelligence gathering, they seem to be stopping some pretty nasty plots before they get anywhere. The UK got the liquid explosive bombers, the US got a ban on liquids."
Two points:
(i) We got the ban on liquids in the UK (and EU) too.
(ii) The liquid explosive bombers have neither been tried nor convicted. Remember 'innocent until proven guilty'? Quaint concept I know.

David in ChicagoFebruary 23, 2007 8:43 AM

"It is very difficult to get a man to understand something when his salary depends on his not understanding it."--Upton Sinclair

D. Glenn Arthur Jr.February 23, 2007 10:15 AM

David wrote about the ban on knives being undermined by the lack of a ban on glass bottles which could be broken. Well, I've described this before but I don't remember whether I've done so here: the last time I flew (well after 9/11), I was served a drink in an aluminum can (the stewardess poured most of it into a plastic cup but left the can because the can was larger than the cup). I had need of a screwdriver -- at the security checkpoint I had been required to remove the lens of my camera, and a set-screw on my teleconverter had come loose, but of course I was not permitted a screwdriver -- so it did occur to me that if I bent the can back and forth I could tear it and fashion a marginally useful screwdriver.

The only thing that stopped me from doing so was the awareness that the step before turning the scavenged aluminum into a screwdriver would look a lot more like an improvised knife -- for good reason, as it would be a much more effective knife than a screwdriver -- and I didn't want to frighten folks into arresting me.

So I wasn't allowed to carry on my %$#^ing nail clippers or a tiny screwdriver, but the stewardess _handed_me_ the materials for making a knife.


Thing is, how do you close that vulnerability? Stop serving beverages on airplanes at all? Install a soda fountain in the galley, insist that fruit juice be brought aboard only in cardboard cartons, and make the stewards and stewardesses go back to the galley for each person's drink order instead of using the drink cart? After you do that, where's the _next_ improvised-weapon threat?

So no, Observer, I don't have a "what they should do instead" suggestion, but I think this is a pretty glaring illustration of how what they were doing was pointless theatre, and that they were annoying and inconveniencing people to no useful effect. IIRC, this was while folks were still discussing whether to reinforce cockpit doors, the real solution.

Stephan SamuelFebruary 23, 2007 10:47 AM

@quincunx,

There very much is such a thing as national security. 9/11 was not just a problem for NYC, Washington and PA.

Ignore for now the obvious problem that one coordinated attack impacted three states, by definition a national problem. We'll overlook the fact that NYC and DC metro are each composed of at least 3 states, by definition a national problem. Some planes took off in Boston and NJ (read: national transportation). That would make military airbases in MA, NJ and NY responsible for shooting them down (read: national armed response). The President (read: national command), as Commander in Chief, is responsible for the go-no-go order to shoot down a commercial jetliner. Terrorists had ID from several states (read:national security). More than one plane was headed out of the northeast (read: national impact). The target of one of the attacks was the Pentagon, which is right near restricted airspace ment to protect the President (read: national consequences). How, exactly, was 9/11 local?

Trains have their own police forces and airplanes have air marshals that have no local jurisdiction, but 100% jurisdictional authority on their respective transport. They too are national. The FAA is a national agency; refer to the first letter of the acronym. Federal money covers security. The DHS gives money to local governments to pay for security. DHS money comes from my federal tax dollars, so only a national security policy could shape their spending my money correctly.

Funny enough, we have a National Security Agency. Maybe they should be the ones to sponsor a less covert branch with a few analysts (hire some consultants too, like Bruce) to come up with a comprehensive policy. Then again, knowing the NSA, maybe they've already got something like this.

Stephan SamuelFebruary 23, 2007 11:00 AM

@D. Glenn Arthur Jr.,

You make a good point. As Bruce has said before, if we can't keep weapons out of prisons, we can't keep them out of airplanes.

There are hundreds of common items on an airplane that could easily be turned into a weapon. A pencil or pen is highly lethal with no modification. I don't personally know how, but I know people who can maime or kill easily with their bare hands. Many modern firearms are made from polymers or ceramics that can go right through metal detectors. A couple of minutes opening bottles of liquor from the drink cart and some paper napkins makes a molotov cocktail. I learned this stuff in college in the course of a normal bachelor's degree in engineering. Imagine what a proper chemist or someone who read a terrorist training manual may know about killing me expediently.

Building a bigger wall won't help anymore. We need to solve the underlying problem.

Michael HamptonFebruary 23, 2007 4:27 PM

Of course there's a solution. Unfortunately, it's one that no politician would ever vote for. It's to get the government out of "homeland security," and let the proper people handle it: We the People.

nonvoterFebruary 23, 2007 5:38 PM

@Michael Hampton

>
It's to get the government out of "homeland security," and let the proper people handle it: We the People.

you the people are the government.

AnonymousFebruary 23, 2007 9:00 PM

"Many modern firearms are made from polymers or ceramics that can go right through metal detectors"

This is false but the rest of your post is quite accurate.

While some parts of guns are polymer no barrel, reciever or ammo is. I've never heard of a gun that has ceramic components at all - much less in the working parts.

This idea is only true if by "gun" you mean one time use hand shredder. Velocity of the bullet is dependent on barrel lenght and if the barrel ruptures as soon as the bullet/projectile starts to move or even before very little velocity will be obtained = not much KE and not much damage to anything but your hand when you fire it.

What is a legit possibility is making the gun look like something else on xray and hope due to poor training/lazy people it will not be seen.

rajatFebruary 23, 2007 11:26 PM

I guess following the CYA method is the most popular approach. Most organizations follow the method of "transferring" risk rather than mitigating it. A perfect example is Payment Card Industry Data Security Council asking vendors performing security audits to take responsibility of breaches. Another example would be taking insurance for everything under the sun!

MR CFebruary 24, 2007 5:43 AM

CYA security... Well put. The thing is that CYA in the US is not just about security. It's a normal behavioural pattern. While dealing with my US collagues I got frustrated quite often as no one wanted to take the risk of making a real decision, and implementing something I've been requesting. They were constantly implementing CYA in almost everything they did.

The pink slip culture of the US doesn't really help. If you make a simple mistake, you're out. In our country that does not happen. There are laws in place to protect the employee and procedures in place which you have to follow in order to fire an employee. What this means, that the employee can make decisions, and not be constantly afraid of losing the job. And usually people learn from their mistakes...

And about those liquids and other "counter measures"... I was on a first Lufthansa flight out of US after 9/11 from Atlanta. The week I had to stay after 9/11 was spent on "improving" the airport security. Yeah right... I had a metal belt buckle (quite big) and pocket full of coins when I went thought the metal detector. Not a single beep. And the airport security didn't notice my laptop, but perhaps it was enough when they X-Rayd it.

... And just a few weeks ago I was flying from another EU captiol to my home airport and I had some prescription cough medicine with me. The airport security did look at the bottle and asked for the prescription. All fine... But the prescription was in my native language, which I'm 100% sure the airport security guy did not understand. But he was checking it very thoroughly and after a while he said "everything is ok". Hmm... Hopefully it was about checking that I'm not "hinky" and watching my reactions, rather than pretending to understand a grug prescription in a totally unknown language.

the other GregFebruary 24, 2007 7:36 AM

He was assuring himself that the prescription was illegible because it was written in an undecipherable script, and not illegible because it was written in a foreign language.

averrosFebruary 24, 2007 2:36 PM

"Pass A Broad Law!" has the best analysis of Bruce's article -- nice start, but total intellectual timidity and failure of imagination at the end.

No, Bruce, doing the same thing (centralized government-run security) which so spectacularly failed in the past, over and over again and somehow expecting to see the different results is the definition of insanity.

The only real solution for the effective and unobtrusive secutity in transport is between airlines and their insurers. Only they have the right incentives to make it work[*] and at the same time to reduce hassle tp their paying customers as much as possible.

[*] The government doesn't. It thrives on catastrophes - its propaganda makes each new catastrophe to be a justification for expanding the government control over its population. So no one in the government is interested in preventing catastrophes - they'd rather be seen fighting the fire.

Claiming that we lack "oversight" or any such administrative control is just plain wrong - we have way too much of that. But the administrators (er, the ruling political class) have a distinctly different incentives from us the flying peons.

...and if you asked anyone with any knowledge of living in a socialist country, you'd know that CYA is the modus operandi of socialism. Which you, Bruce, is, in effect, advocating.

Sky-HoFebruary 24, 2007 6:31 PM

I am in the airline industry (pointy end) and can relate that prior to 11Sep01, knives could not be longer than 4 inches making box-cutters "legal". So, it would seem there was no "breach" of either airline or airport "security".

There were many failures, the idea of "common strategy", crews were actually told to wait, if possible, until the authorities could handle the situation, pre 11Sep01, a subject of security briefings I could never agree with.

Bruce, you are exactly correct in your description of CYA as it plays to the operation of business in the US. I know a few of the top dogs in Homeland Security and TSA, and I laughed when that meme was brought up. So true. Two of them would concur with you, but at least one feels the CYA method of management is pretty well locked into our business culture.

Building a bigger wall will never keep them out, they will just climb higher or dig deeper. You must first find out why they are doing what they are doing and fix it. Giving potential terrorists something to protect, like land or a seat at a table will never eliminate all terrorists, but you can be certain the diehards will loose a lot of supporters.

guvnrFebruary 24, 2007 7:00 PM

@Sky-Ho, well said. thankfully those of us on the GA side of the house don't have as much meddling in our response strategies, just the call to judgment ex post facto (which you share in spades!)

@averros, the private sector incentives to make it work are no panacea, they're only effective as long as they're aligned with the bottom-line imperative. As soon as it's more profitable to accept losses the financial imperatives will work against security not favor it. otoh politicians (as opposed to governmental bureaucrats) don't like catastrophes killing and terrorizing innocent voters, it undermines reelection prospects. When I was learning to fly it was axiomatic that there is safe and there is legal and the two are not synonyms - but the legal side made perfect sense when viewed as the result of bureaucrats assuring legislators that they're doing the right things to keep airplanes from falling out of the sky onto innocent voters. That's essentially the same dynamic that drives security theater, and makes the DHS more understandable albeit still ineffective.

guvnrFebruary 24, 2007 7:27 PM

@stephan samuel (10 back), re weapons and bare-handed deadly force:
http://www.msnbc.msn.com/id/17284416/
(Yahoo reports he's a former Marine, why am I not surprised?)

Costa Rica's crime problem and this incident seem somewhat relevant to the fight against terrorism, Flight 93 has more to do with why terrorists won't succeed in flying any more airplanes into tall buildings than the DHS does!

Point is, security can't be outsourced any more than liberty can be imposed. They come from being self-reliant and accepting responsibility for the consequences of one's actions (in other words, the antithesis of CYA and its recent corruption of the American Dream).

Jim Hawk IIIFebruary 25, 2007 7:18 AM

@ Stephan Samuel:

>Incidentally, it also leads to a good
>point by Mike Sherwood: they're
>freedom fighters, not terrorists.
>As long as we deny them the right to be heard, they'll try harder (i.e. -- try
>to "terrorize") to be heard. Give >terrorist leaders a seat at world
>summits, let their grievances be heard,
>and maybe the incidence of terrorism >will be lower.

I believe you misunderstood what Mike Sherwood wrote. He didn't say "they are freedom fighters," he said "...in their philosophy, they are freedom fighters," which is entirely different. They *think* they are freedom fighters, but those with more objective opinions might find differently, given the facts.

The so-called Palestinians don't blow up U.S. holdings in the actual United States; that appears to be the specific province of al-Qaeda, whose "freedom fighters" are fighting for the freedom to have the entire rule under the dominion of the Caliphate (i.e.; for the freedom to rule the world). Not surprisingly, the rest of the world disagrees.

The Palestinian terrorists appear to be too dim to realize that blowing up property on which they intend to live is akin to attempting to sate one's hunger by throwing the buffet on the floor. If they're not any smarter than that--of what use is the bargaining table?

Sky-HoFebruary 25, 2007 3:59 PM

Jim Hawk III,

Is there an al-Qaeda speech or talking point that says they want to take over the world? All I've read is that they want to re-establish the Caliphate, which stretched from Morroco eastward to Indonesia. I avoid Faux News and therefore may have missed something vital on that entertainment channel.

When someone invades your homeland and you fight them, you are a "freedom fighter", no ifs, ands or buts about that. So, when Israel invades surrounding lands, they should expect a little pushback from freedom fighters, just as if someone invaded Israel.

About "less lit" Palestinians blowing up their "own" property. If someone doesn't control the property, it isn't theirs. I am reminded of the Israeli settlements built right on land owned by Palestinians, as much as 80% of the town in one case would never clear title for such a reason. Since the "owners", the Palestinians, do not control the land (not collect rent or sell it), I would say they have a right to be a little upset and be willing to demonstrate their anger.

Thank goodness I get my information from the Pentagon, the BBC and other than White House propaganda sources.

Ctrl-Alt-DelFebruary 25, 2007 8:18 PM

@ MR C

"the prescription was in my native language, which I'm 100% sure the airport security guy did not understand"

Unless your native language uses a non-Latin alphabet, understanding the language is not necessary to understanding a prescription - or many other things. Here is a (fake) prescription:

"Asprin 300 mg, 1/cdt, 5 erehr"

What's being prescribed? How many times a day? How many repeats?

If your native language uses a different alphabet, such as Greek or Cyrillic, though, you might have a case as it'd be a little more cryptic to the average airport minion then:

"�?�?прин 300 мг, 1/кдт, 5 eрeчр"

He'd probably have you arrested. ;-)

averrosFebruary 26, 2007 4:18 AM

@guvnr

"the private sector incentives to make it work are no panacea, they're only effective as long as they're aligned with the bottom-line imperative"

Oh, not that "the market is not perfect so we need government to step in" tired canard again.

The private business interests may be not exactly aligned with the interests of the customers, but no business can survive for long if it ignores interests of its customers.

But the governement interests are exactly opposite to the the interests of its unwilling "customers" (otherwise they would be willing, right?). Because of that government intervention always, unconditionally, produces worse results than absense of regulation. There is no single credible example of a government regulation which didn't have deleterious results worse than any benefit coming from that regulation.

"otoh politicians (as opposed to governmental bureaucrats) don't like catastrophes killing and terrorizing innocent voters, it undermines reelection prospects"

May I politely suggest some Ginko Bilboa, Piracetam, or whatever works to improve memory? The only reason why Bush was reelected is because he managed to create a catastrophic war.

Pat CahalanFebruary 26, 2007 12:40 PM

@ averros

> no business can survive for long if it ignores interests of its customers.

This is so stunningly in opposition to historical reality I don't know where to begin.

Yes, businesses cannot survive indefinitely if they ignore certain economic definitions of "interests" of its customers.

However, as long as the business meets the economic interests of most of its customers (selling goods at a cheap price) while negatively impacting the non-economic interests of a very small set of non-customers (say, the 600 residents of the neighborhood south of the plant that is spewing noxious, unregulated, cancer-causing crud into the air and water), the business can carry on its merry way.

> There is no single credible example of a government regulation which didn't have
> deleterious results worse than any benefit coming from that regulation.

Flip argument: there is no single credible example of an industry self-policing in a responsible manner in an attempt to correct any negative, non-profit oriented consequence of its business practices.

I won't claim this statement is true, but if you're going to toss unjustified blanket statements into the middle of a discourse, I'm going to discount the rest of your arguments unless you (a) back up your statement with something resembling evidence or (b) credibly refute the flipped argument.

guvnrFebruary 26, 2007 1:20 PM

@averros, we agree on dubya's reelection cause, if not on other points (ie free enterprise behavior effects of economic and regulatory requirements)

my experience with the Superfund listing of a toxic waste dump was pretty convincing evidence that sometimes corporate citizens need their feet held to the fire by the gummint - contrary to your absolute assertion that regulation is always better than its absence, Bhopal and the Love Canal show pretty clearly that the absence of environmental and safety regulations was not better than having them.

Even beyond that, you say government "customers" are unwilling when in truth that's untrue - the problem is the public wants the fruits without the cost. They're willing to have regulation as long as it impacts somebody else, not them.

They want the safety and security of a lawful society without the implications and burden of law enforcement. They want to know that airlines won't be hijacked, but they don't want to have to go through security inspections. Thing is, the cost:benefit equation inherently includes cost (social as well as financial) and trying to ignore that part leads to an incomplete picture of reality.

That's why we end up with conflicting and unworkable "solutions" and a lot of finger-pointing and CYA...

ProgrammerFebruary 26, 2007 1:27 PM

@Jim:
"CYA security is not broken. It's akin to debugging a program. Fix the one that crashes the program, then proceed to the next one. The entire CYA Security theory implies the only form of action the government (DHS, FBI, CIA, NSA, etc.) performs is retroactive, which is an entirely myopic mainstream media generated notion."

If we extend this analogy, then you start running into the fact that users will continue to find bugs after the program ships. They will never run into the bugs that you fixed in development, but will have to put up with new bugs as they are discovered.

That's a bad analogy for security to be taking, the view that as long as we fix the problems that exist today we are fine. That's why CYA doesn't work.

Instead it should be looked at as building a secure operating system. You create an environment where exploitation is virtually impossible, you plan for limited effect on things that you know will happen, and when things that are new *and generally applicable* show up, you fix them. The problem with CYA is that it only protects against specific threats. For another computer example, what good is it to prevent a program from exploiting via one network port, when they can just continue exploiting via another!

To expect perfect security, especially when you only take a reactive approach, is both stupid and wasteful.

averrosFebruary 27, 2007 2:04 AM

Pat & guvnr --

what you are saying is that businesses can do criminal things - like imposing pollution onto their neighbours. Well, that's some news. Businesses ain't run by saints (neirther are the governments).

There is no need to regulate what is already understood as a criminal trespass. The regulation comes in because some resources are declared communal - and so the tragedy of commons is created. So the government is called in to create one-fits-all rules.

And because it is large businesses who have money to spend on buying attention of the government busybodies - guess who wins in this game?

"Bhopal and the Love Canal show pretty clearly" - well, they show pretty clearly what happens when the government barges in. You really may want to read the history of these disasters. The Bhopal project was from the very beginning mired in populist politics, with local authorities changing their minds regarding location, - even after construction was started. And do not forget that it was the pet project of Indira Ghandi - political from the day one.

Love Canal was started being used as a hazardous chemical waste dump by the City of Niagara Falls, since 20s. It was offloaded to Hooker Chemical in 42, and by 47 HC closed it. After which the local government proceeded to build school and residencies over it - thus creating the disaster.

"They're willing to have regulation as long as it impacts somebody else, not them."

Well,. I agree with that. People want free lunch. The problem is that they're sorely ignorant about economics, and their ignorance is being used by the politicans for their own ways. If people were somewhat better educated, they'd realize that they're not making themselves any favors by clamouring for more laws and regulations.

"Flip argument: there is no single credible example of an industry self-policing in a responsible manner in an attempt to correct any negative, non-profit oriented consequence of its business practices."

Well, there is no such thing as state-free economy in the modern world, so there's no "pure" example of self-policing. However, it takes willful blindness not to notice that the well-being of people is strongly correlated with economic freedoms.

In fact, the industry makes millions of commercial transactions daily, and only timy portion of them ends up in conflicts. And most of those conflics are resolved not by courts but by commercial arbitrage. If this is not a credible example of self-policing, then I don't know what kind of proof will be sufficient.

Also, my statement requires a single unabmiguous example to refute. Refutations to your statement happen so often that people stopped noticing it. By and large economy works without government, here and now.

AnonymousMarch 13, 2007 12:08 PM

Hmm...if we did not protect against attacks used against us...would not the terrorists use it again?

Take for example, why we have locks on doors and windows. Without locks Burglars could come in and steal very easily. With locks, Burglars can still steal but becomes slightly more difficult. Just becuase Burglars can still steal DOES NOT mean you would be better off without locks.

Your argument when examined in context is false...but don't let that stop you from standing on your pedestal,

william adams, pe, phdMarch 18, 2007 6:33 PM


Bruce,

You are partly right, but miss some important points.

There is some stupidity and maybe even CYA going on.
Mostly stupidity, greed, politics, and personal agendae.

Most of security is aimed at making the public think that they are safe and not demanding the officials do things that they can't or won't (think border) do. Or to "scare" the bad guys off cause we think that they will think that they will be caught.

Think like a terrorist. You would *PROBE* the system. AND take advantage of unwitting probes by watching what is done when innocent things occur.

If we now blame Boston and do nothing about strange blinkign signs then Osama will know that next time those will be the perfect cover for an attack. Next time put them out with bombs knowing they will be ignored or put them out and add the bombs later if the strange devices are ignored next time.

Heck, even better, just announce some fake ad campaign and then put out dummies. Add the real ones later maybe even months or years later once they become part of the accepted background. Who is going to notice one more blinking box when there were already so many of them?

The backward looking things as you call them are mandatory. Once we stop doing those checks the bad guys know they have a free pass to use that method whenever they want.

You do not know what we are ignoring!
The white hats can't advertise their plans let alone any successes without helping the bad guys. What may appear to be wide open may well be well covered and waiting so as to entice a strike so we can roll up the cell when the chatter starts (eg UK approach).

As to olympics, I am more afraid of them nifonging some dupe like Richard Jewel and not going after the true baddies. Think diversion in irak for WMD etc., when we were hot on the trail of Osama. Anyone for conspiracy theories?

william adams, pe, phd

LGAMarch 18, 2007 6:47 PM

Good piece. My own angle as an immigration lawyer is the "material support of terrorism" issue. I now have six Nepalese and 1 Bhutanese asylum cases that have been held up since the asylum interview by DHS for between 3 and 4 1/2 years. All but one involve payment of extortion money to Nepalese Maoists, under duress. The immigration portion of the Real ID Act eliminates duress as a defense by not including it. DHS just announced more discretionary waivers, but not for anyone who falls into the designated terrorist group category--which the Nepalese Maoists do. I can't go into court on a mandamus because even if I can get the case referred back to immigration court, a judge could only deport the person, since there's no defense to paying extortion money when a Maoist puts a gun to your head. My take on all of this is the same as yours--CYA. No one at DHS or USCIS will risk being the one who let the terrorist in. I've written briefs and motions to DHS, USCIS, the director of the Asylum Office and never gotten an acknowledgement. I'm currently thinking of writing Chertoff to request a waiver, even though DHS policy doesn't currently waive asylum applicants like my clients. The only purpose would be to point out once again the idiocy and human cost of their covering their asses.

AnonymousMarch 18, 2007 8:00 PM

Bruce, just a comment on the CYA topic. Unfortunately I am observing a new
management style we could call it MTM (Management Through Medias) where security organizations make themselves accountable to the press rather than to the public. This approach is essentially focused on responding to news. It's as if the accountability of security agencies was to the press rather than the people they serve.
In my opinion it is impairing the capacity of security agencies to focus on the real issues and most of the time, it diverts the attention of security entities on silly things that hit the press. I find that in the current environment security
agencies are almost acting like the stock exchange where a quick return on investments dictates corporate decisions rather than a strong strategy. Security organization often act the same way by creating inefficient solutions for would be threats while ignoring the real security issues.

As long as security professional are catering to the medias, they will
keep missing the real security concerns and will miss the target most of
the time. What needs to happen is the creation of a security accountability
framework. Security agencies should report to an apolitical governing
body that will ensure a true focus on strategic security issues as well
as an oversight of agencies based on reality rather than perception. The public
would be informed by the governance which should be composed of creadible people.

Mike FiggNovember 1, 2007 11:29 AM

One thing I take issue with is the failure to explain the abbreviation CYA till about five paragraphs into the story.

Can you please explain abbreviations earlier than that.

Otherwise a very interesting blog.

ranndinoNovember 2, 2007 3:29 PM

This snitching crap has been a part of American culture for ages, btw. Kids, students and employees have always been encouraged to snitch on each other, so it should come naturally by now.

Snitching on a wide scale never leads to anything good. This kind of crap reminds me of Stalinist Russia when if you had a problem with someone all you had to do is report them to NKVD for any silly reason. It was enough to say that someone criticized Papa Bear Stalin and they were gone. There was no need to prove anything. As Stalin used to say, "No person, no problem".

The whole debacle with Aqua Teen Hunger Force ad campaign in Boston was completely ridiculous, yet the guys who were arrested are still dealing with this BS (I met one of them recently at a club... the guy with the dreadlocks who works as a promoter). The police proved once again that they're completely retarded, yet Menino chose to still go after the "perps". Even though they've done nothing wrong and broke no laws! It's a lot easier to go after a couple of "hippies" than to fire enforcement officials for being incompetent boobs.

BTW, when I met the guy I told him that their interview to the media in front of the courthouse was one of the funniest things I've ever seen. "We are here to talk about hair". I'm still laughing.

DGentryOctober 22, 2009 5:42 AM

On twitter Tim Siedell (@badbanana) made a pithy observation about the ludicrous results of CYA security:

"I think I'm allowed to bring an entire bottle of shampoo on the flight as long as I'm drinking it."

jdlaugheadOctober 20, 2013 12:42 PM

I am a retired Safety Director, and what causes accidents, is two part, Unsafe Acts and or Unsafe conditions. This also works for Security, lets take in this article, where stating, the hypothetical act of Terrism of bombing a Mall, which happen a couple weeks ago, where what was stated, a Terrism act of renting a store in a Mall and them store bombs and ammunition, and then blowing up the Mall later. Could this of been prevented, if we took action to Prevent such a act. Safety job is to prevent accidents, Hence, on construction jobs, Hard hats, safety shoes,safety glasses, first aid kits, safety belts, safety gloves, railings around openings. It might not say we need any of this equipment, like self contained Resperator masks over 911, I couldn't believe, when I saw workers, working on this site, without any masks, where was OSHA!!! So as far as to prevent Terrist Acts, we can't leave anything uncovered to Terrist Acts, because of Unsafe Conditions

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..