Schneier on Security
A blog covering security and security technology.
« Face Recognition Test Results |
| More on the California Voting Machine Review »
August 3, 2007
Conversation with Kip Hawley, TSA Administrator (Part 5)
This is Part 5 of a five-part series. Link to whole thing.
BS: So far, we've only talked about passengers. What about airport workers? Nearly one million workers move in and out of airports every day without ever being screened. The JFK plot, as laughably unrealistic as it was, highlighted the security risks of airport workers. As with any security problem, we need to secure the weak links, rather than make already strong links stronger. What about airport employees, delivery vehicles, and so on?
KH: I totally agree with your point about a strong base level of security everywhere and not creating large gaps by over-focusing on one area. This is especially true with airport employees. We do background checks on all airport employees who have access to the sterile area. These employees are in the same places doing the same jobs day after day, so when someone does something out of the ordinary, it immediately stands out. They serve as an additional set of eyes and ears throughout the airport.
Even so, we should do more on airport employees and my House testimony of April 19 gives details of where we're heading. The main point is that everything you need for an attack is already inside the perimeter of an airport. For example, why take lighters from people who work with blowtorches in facilities with millions of gallons of jet fuel?
You could perhaps feel better by setting up employee checkpoints at entry points, but you'd hassle a lot of people at great cost with minimal additional benefit, and a smart, patient terrorist could find a way to beat you. Today's random, unpredictable screenings that can and do occur everywhere, all the time (including delivery vehicles, etc.) are harder to defeat. With the latter, you make it impossible to engineer an attack; with the former, you give the blueprint for exactly that.
BS: There's another reason to screen pilots and flight attendants: they go through the same security lines as passengers. People have to remember that it's not pilots being screened, it's people dressed as pilots. You either have to implement a system to verify that people dressed as pilots are actual pilots, or just screen everybody. The latter choice is far easier.
I want to ask you about general philosophy. Basically, there are three broad ways of defending airplanes: preventing bad people from getting on them (ID checks), preventing bad objects from getting on them (passenger screening, baggage screening), and preventing bad things from happening on them (reinforcing the cockpit door, sky marshals). The first one seems to be a complete failure, the second one is spotty at best. I've always been a fan of the third. Any future developments in that area?
KH: You are too eager to discount the first -- stopping bad people from getting on planes. That is the most effective! Don't forget about all the intel work done partnering with other countries to stop plots before they get here (UK liquids, NY subway), all the work done to keep them out either through no-flys (at least several times a month) or by Customs & Border Protection on their way in, and law enforcement once they are here (Ft. Dix). Then, you add the behavior observation (both uniformed and not) and identity validation (as we take that on) and that's all before they get to the checkpoint.
The screening-for-things part, we've discussed, so I'll jump to in-air measures. Reinforced, locked cockpit doors and air marshals are indeed huge upgrades since 9/11. Along the same lines, you have to consider the role of the engaged flight crew and passengers -- they are quick to give a heads-up about suspicious behavior and they can, and do, take decisive action when threatened. Also, there are thousands of flights covered by pilots who are qualified as law enforcement and are armed, as well as the agents from other government entities like the Secret Service and FBI who provide coverage as well. There is also a fair amount of communications with the flight deck during flights if anything comes up en route -- either in the aircraft or if we get information that would be of interest to them. That allows "quiet" diversions or other preventive measures. Training is, of course, important too. Pilots need to know what to do in the event of a missile sighting or other event, and need to know what we are going to do in different situations. Other things coming: better air-to-ground communications for air marshals and flight information, including, possibly, video.
So, when you boil it down, keeping the bomb off the plane is the number one priority. A terrorist has to know that once that door closes, he or she is locked into a confined space with dozens, if not hundreds, of zero-tolerance people, some of whom may be armed with firearms, not to mention the memory of United Flight 93.
BS: I've read repeated calls to privatize airport security: to return it to the way it was pre-9/11. Personally, I think it's a bad idea, but I'd like your opinion on the question. And regardless of what you think should happen, do you think it will happen?
KH: From an operational security point of view, I think it works both ways. So it is not a strategic issue for me.
SFO, our largest private airport, has excellent security and is on a par with its federalized counterparts (in fact, I am on a flight from there as I write this). One current federalized advantage is that we can surge resources around the system with no notice; essentially, the ability to move from anywhere to anywhere and mix TSOs with federal air marshals in different force packages. We would need to be sure we don't lose that interchangeability if we were to expand privatized screening.
I don't see a major security or economic driver that would push us to large-scale privatization. Economically, the current cost-plus model makes it a better deal for the government in smaller airports than in bigger. So, maybe more small airports will privatize. If Congress requires collective bargaining for our TSOs, that will impose an additional overhead cost of about $500 million, which would shift the economic balance significantly toward privatized screening. But unless that happens, I don't see major change in this area.
BS: Last question. I regularly criticize overly specific security measures, because forcing the terrorists to make minor modifications in their tactics doesn't make us any safer. We've talked about specific airline threats, but what about airplanes as a specific threat? On the one hand, if we secure our airlines and the terrorists all decide instead to bomb shopping malls, we haven't improved our security very much. On the other hand, airplanes make particularly attractive targets for several reasons. One, they're considered national symbols. Two, they're a common and important travel vehicle, and are deeply embedded throughout our economy. Three, they travel to distant places where the terrorists are. And four, the failure mode is severe: a small bomb drops the plane out of the sky and kills everyone. I don't expect you to give back any of your budget, but when do we have "enough" airplane security as compared with the rest of our nation's infrastructure?
KH: Airplanes are a high-profile target for terrorists for all the reasons you cited. The reason we have the focus we do on aviation is because of the effect the airline system has on our country, both economically and psychologically. We do considerable work (through grants and voluntary agreements) to ensure the safety of surface transportation, but it's less visible to the public because people other than ones in TSA uniforms are taking care of that responsibility.
We look at the aviation system as one component in a much larger network that also includes freight rail, mass transit, highways, etc. And that's just in the U.S. Then you add the world's transportation sectors -- it's all about the network.
The only components that require specific security measures are the critical points of failure -- and they have to be protected at virtually any cost. It doesn't matter which individual part of the network is attacked -- what matters is that the network as a whole is resilient enough to operate even with losing one or more components.
The network approach allows various transportation modes to benefit from our layers of security. Take our first layer: intel. It is fundamental to our security program to catch terrorists long before they get to their target, and even better if we catch them before they get into our country. Our intel operation works closely with other international and domestic agencies, and that information and analysis benefits all transportation modes.
Dogs have proven very successful at detecting explosives. They work in airports and they work in mass transit venues as well. As we test and pilot technologies like millimeter wave in airports, we assess their viability in other transportation modes, and vice versa.
To get back to your question, we're not at the point where we can say "enough" for aviation security. But we're also aware of the attractiveness of other modes and continue to use the network to share resources and lessons learned.
BS: Thank you very much for your time. I appreciate both your time and your candor.
KH: I enjoyed the exchange and appreciated your insights. Thanks for the opportunity.
Posted on August 3, 2007 at 6:12 AM
• 53 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Slippery bugger ain't he?
I think Mr. Hawley, like many politicians, actually believes what he is saying is true, which makes him honest in a perverse sort of way, but also impervious to facts and logic.
The interview brings two quotes to mind, both attributed to Voltaire:
"Doubt is not a pleasant condition, but certainty is absurd. "
"Judge a man by his questions rather than his answers."
It was a really good (and brave) thing for him to agree to such an interview. I think he did a reasonable job, given that he basically can't say "You're right, this is a dumb policy" even if that's what he thinks. The problem he's responsible for solving is basically impossible, which could make for a pretty stressful job.
>you'd hassle a lot of people at great
>cost with minimal additional benefit,
>and a smart, patient terrorist could find
>a way to beat you.
So I take it the working assumption here is:
1) All dumb terrorists will be passengers or flight crew;
2) All smart terrorists will be airport workers
I know it's easy to take pot shots based on single quotes, but damn -- there was just an awful lot of this going on for what was a written interview.
One of the best interviews I've read with anyone this year. Thanks to Bruce for asking hard questions and thanks to Kip for actually responding to them. This is blogging at its best; an antidote to soundbite obsessed TV journalism.
I understand why many readers are frustrated by this interview, but I just find it remarkable for an American government official to respond to hard questions at length. If more journalists and more congresspeople would make the effort to ask hard questions it would be better for everyone.
>One of the best interviews I've read with
>anyone this year. Thanks to Bruce for
>asking hard questions and thanks to Kip
>for actually responding to them. This is
>blogging at its best; an antidote to
>soundbite obsessed TV journalism.
But Hawley didn't answer the questions. He gave the standard "no answer" answers to all of the hard questions. Congratulations to Bruce for doing his best, but Hawley broke no new ground here. The best example is the one quoted by Matt from CT above. The justificiation that Hawley gave for not checking airline workers seems to apply to passengers, too. "Hassling a lot of people at great cost with minimal additional benefit." _That_ should be the slogan of TSA.
I'm looking forward to Bruce's commentary on this interview soon.
One bit of complete nonsense:
"they have to be protected at virtually any cost."
That is not true of anything. Mr Hawley would like the entire budget of the government of the United States? There is *always* a cost/benefit trade-off. But of course, if you include the value of people's time that is being wasted, we are already spending many times more than can be justified on airplane security.
You omitted the most effective approach of all, although it's rather longer-term, which is to prevent people from wanting to do bad things on planes in the first place. Terrorism, like any other crime, requires motive, opportunity and method -- but methods and opportunities are everywhere, so the motivation is the most productive one to attack.
"You could perhaps feel better by setting up employee checkpoints at entry points, but you'd hassle a lot of people at great cost with minimal additional benefit, and a smart, patient terrorist could find a way to beat you."
"A terrorist has to know that once that door closes, he or she is locked into a confined space with dozens, if not hundreds, of zero-tolerance people, some of whom may be armed with firearms, not to mention the memory of United Flight 93."
Good to know that our canny terrorist doesn't need to bring any weapons onto the plane, all he has to do is take one from several people packing on the flight.
My feelings have pretty much mirrored the general tone of the comments thus far through this series. There have been many forehead-slapping moments each day.
However, something KH says towards the end got me thinking along different lines:
"The reason we have the focus we do on aviation is because of the effect the airline system has on our country, both economically and psychologically."
Is it possible that ineffective security theater has a greater economic and psychological calming effect than truly effective security?
Don't get me wrong, I'm still outraged that we spend so much to do so little with air travel security and still haven't secured our shipping ports. I'm just playing devil's advocate here.
"It was a really good (and brave) thing for him to agree to such an interview. I think he did a reasonable job, given that he basically can't say "You're right, this is a dumb policy" even if that's what he thinks. The problem he's responsible for solving is basically impossible, which could make for a pretty stressful job."
I agree completely. Anyone that works in a government or large corporate environment would give lots of credit to this guy. He's not a maverick and he can't be. He's just a part of the huge machine. I think he is probably extremely frustrated, can't really change anything, and will take all the heat if anything goes wrong.
So are his questions evasive? Of course they are. Have you ever read a press release from a corporation that isn't evasive? This guy isn't a security researcher. For this interview, he's a public relations official.
I think we can admit that the system is broken and still cut the guy some slack.
Great interview(s). i would love to see more stuff like that, maybe on a cryptography related topic? =)
@Daley: "Hassling a lot of people at great cost with minimal additional benefit." _That_ should be the slogan of TSA.
I was thinking of "Full of sound and fury, signifying nothing." Who can object to Shakespeare? Even better, the full quote is "it is a tale told by an idiot, full of sound and fury, signifying nothing."
Hawley wrote: "If Congress requires collective bargaining for our TSOs, that will impose an additional overhead cost of about $500 million, which would shift the economic balance significantly toward privatized screening. But unless that happens, I don't see major change in this area."
I guess there you have it, right from a government official: the value of collective bargaining to employees who do not have it. Can anyone wonder why workers (at least sometimes) want this? And doesn't anyone feel any shame that we would take steps to deny these employees $500 million/year by dumping them back in the private sector where they become low paid rent-a-bodies? "If we let these people negotiate the way many other workers can, we'd have to spend $X more, so we'd rather avoid that and if necessary we'll just privatize again". Pathetic.
Great interview! You brought up a lot of good points for consideration.
I'm also guessing that after this, Bruce will never be able to fly anywhere, any time, for any reason. The TSA has probably already put a "Shoot-On-Sight" order out on him, lol.
But who could ever take seriously a guy called "Kip" ???
@Damon: "Is it possible that ineffective security theater has a greater economic and psychological calming effect than truly effective security?"
It's not provable, is it?
It would need an administration, telling the people that perfect security isn't possible and allmost secure flights aren't affordable. Face the risks - there is no choice.
I guess it's less the economic, but the election effect, which counts.
A number of comments here:
Liquid ban === A VERY GOOD THING!
Bleach (Clorox) is what, 3-6% Sodium Hypochlorite. You can easily buy stuff a lot more potent from a chem lab. Mixed with an acid it produces Chlorine gas. Chlorine is detectable my humans at 3.5ppm, and toxic at something like 1000 ppm.
Bleach looks like water in a bottle. How much would a terrorist need to bring on board?
And Bleach is tame compared to other things out there....
Shoe ban is pointless. But we already knew that. (Anything you could hide in your shoes, you could tape to your body. Or shove up your ass.)
> There is also a fair amount of communications with
> the flight deck during flights if anything comes up
> en route -- either in the aircraft or if we get
> information that would be of interest to them. That
> allows "quiet" diversions or other preventive measures.
These "quiet" diversions and "other preventive measures" scare me more than the terrorists do...
These "security" folks are so desperately searching for something, anything, to justify their budget & jobs. Without any terrorists around, God help the innocents they trample.
We are trading freedom for security here, and were are winding up with neither.
Too many people are more concerned with covering the ass, regardless of the cost, than with the people they were supposed to be protecting!
And far too may citizens are afraid to speak out, for fear of going on a watch list. Or worse. (To my shame, I'm one of them. I've been far too quiet for far too long.)
> The reason we have the focus we do on aviation is
> because of the effect the airline system has on
> our country, both economically and psychologically.
So what stops a terrorist from, in the middle of the night, stealing an armored car, driving it onto the tarmac, straight through a fence if necessary, shooting holes in airplane wings with a shotgun, dropping lit road flares to ignite the now-leaking gas, and destroying every plane in the airport?
With a handful of distributed teams, and given our hub-based air transportation system, they could take out the vast bulk of our air fleet.
Similarly, given our hub-based air transportation infrastructure, where everyone flies to a hub, and then from a hub. What stops terrorists from destroying the security checkpoint at the hub?
No security checkpoint, no pilots get through to fly the planes, everything grinds to a halt. Only a few hundred may die in the attack. But, pick the right day of the year, and almost everyone in the country will either be stranded, or know someone who is stranded.
I mean come on already. Doesn't anyone think of these things? Or is their red team all about "how can we smuggle a this new glock through X-Ray in our bag?"
Perhaps it's time Kip Hawley's Red team began taking suggestions from the huddled masses.
I guarantee that we, as a group, will come up with things he'd never think of in a million years.
*sigh*. I just got put on a watch list, didn't I....
Best quote, with only two minor changes shown in [brackets].
>> You could perhaps feel better by setting up [traveler] checkpoints at entry points, but you'd hassle a lot of people at great cost with minimal additional benefit, and a smart, patient terrorist could find a way to beat you.
>> Today's random, unpredictable screenings that can and do occur everywhere, all the time (including [taxicabs], etc.) are harder to defeat. With the latter, you make it impossible to engineer an attack; with the former, you give the blueprint for exactly that.
So if this doesn't make sense dealing with travelers, why does it make sense dealing with employees?
Ugh, how about his twisting of Schneier's dismissal of "preventing bad people from getting on them (ID checks)" into a dismissal of early investigative work, which gets praised in every third post here (as Hawley knows full well). The question was specifically about things the TSA does, not things Scotland Yard does, and shame on Hawley for practically taking credit for their work. I wouldn't be able to reprint that word-twisting without an inline rebuttal.
He does have a point about air travel being important. Here in Minneapolis, Minnesota, we had a major bridge collapse at rush hour Wednesday, with bumper-to-bumper traffic. Last I checked, the official count was four dead, eight missing (and almost certainly dead), six critically injured, and about seventy less injured. There likely are more people dead, since nobody had a good count of people who went into the river when the bridge collapsed.
This is the sort of result you'd consider pretty good for a terrorist attack on a bridge (terrorists weren't involved here - the bridge was known to have structural problems). It would also take a lot more explosives, and a lot more expertly set up, than taking down a plane. However, blowing up a loaded airliner is going to kill a lot more people.
This suggests to me that airport security is considerably more important than most other security, in that it's the biggest death toll for the bang. I don't think it's being done at all well, but DHS is correct in emphasizing it.
Overall, good tough questions from Bruce. I can't say that my opinion of Kippie has changed any. One disappointment (and maybe I missed something) is that Bruce seemed to give him a pass on the "consistent inconsitency" that we see at every day at the airport.
To me, it seems like institutionalized incompetence. Kip knew he couldn't get TSA to fall in line, so he just threw up his hands and made incosistency policy. Saw a poster TSA put out and our security officer had. It's here
I don't think it looked right, so I fixed it. That's here.
I think that pretty much sums it up.
True, the bridge collapse resulted in minor casualties in relation to an airplane, but that is a clear reason why a bridge is a poor target.
Consider the fear and change that has happened because of a few hijacked airplanes and them being used as weapons. Don't you think the impact would be more severe if a few people hijacked a few buses, loaded them with explosives and blew up some schools?
Airplanes are high-profile target right now because they were the instrument of the most successful foreign terrorist attack on American soil.
If a ferry or a boat was used to bring a bomb into a major port, then boats would very quickly have a higher level of scrutiny to ports and harbours, but don't kid yourself. Ports and harbours will never have the same level of scrutiny as airports because easy access to ports and harbours have been the foundation of a strong economy for hundreds of years. Airplanes are just too expensive for most goods!
The reason for not screening and dealing with airport workers is that it would raise the ire of the unions and of the drug smugglers, not to mention the folks who make their living pilfering the cargo and luggage.
If any of this security theater crap was working, America would be well rid of its drug smuggling and related problems.
"Good to know that our canny terrorist doesn't need to bring any weapons onto the plane, all he has to do is take one from several people packing on the flight."
Or figure out how to successfully impersonate someone who IS allowed to bring a gun.
That is completely idiotic. NO ONE should be allowed a gun onto a plane. NO ONE.
The security personnel should be trained in the use of other weapons. Such as these:
The weapons the security people should have are weapons that cannot effectively be used against them or other security personnel or the passengers or the pilots. That's pretty much hand to hand combat. With sticks.
As for everyone who's saying how great Kip is for "answering" Bruce's questions ... it's called "transparency". Government of the people, by the people, for the people. You should not be praising him for evading Bruce's questions and being "brave" enough to face an expert in the field.
He's a government official evading the questions of an expert in the field.
He OWES the public an explanation. Without double-speak. Without obfuscation. Without claims of secrecy.
He is a public servant.
I am thinking about what was the point of the interview at all ?
I agree completely that Kip wasn't able to tell that it is crap what the TSA is doing. So why did he agreed at all (he could have a private conversation with Bruce if he is really interested to tighten the security) ?
I suspect the reason is that whenever the criticism of Bruce is mentioned, the opponents will say: "Kip Hawley answered (or better, refuted !!) all criticism in detail." They will trust on the inability of the average citizen to find the source or even then, the unwillingness caused by political orientation to take a look at it.
There's another reason that airline/airplane security is much higher than harbor and port security: it's visible. Imagine all the (extra) money we spend on airport security being used on port security instead. Who would see it? Just a (relatively) few dock workers, merchant marines, etc. How could the gov't justify spending all that money? But with airport security, it's a hassle, sure--but it's a very visible process. That's got a lot more to do, I suspect, with letting Joe Cornbelt see his tax dollars at work than scaring off any terrorists.
Remeber: the first job of any government agency is to justify its own existence.
"You could perhaps feel better by setting up employee checkpoints at entry points, but you'd hassle a lot of people at great cost with minimal additional benefit, and a smart, patient terrorist could find a way to beat you."
This was the point you should have pounced on him, Bruce. You seriously missed your chance there.
Kip has said more than once that bad people are stopped from boarding planes "at least several times a month" by the no-fly list, but he's not willing to illuminate further.
I'd like to hear the security justification for keeping secret who these bad people are. How does this "obscurity" make the system more secure. If "the terrorists" are being stopped or jailed then they certainly know it, and have gained information about the security apparatus. However, the public is somehow safer if it doesn't know.
I notice that the plots or attempts that are public --Richard Reed, liquids, JFK, "dry-runs", etc. -- are either failed, improbable, or erroneous. But we can't talk about the bogey men stopped several times a month because of the no-fly list. It makes me suspicious that either these "stopped" threats are no real threat or no "new" threat (e.g. they are people with arrest warrants, "undesirable associations" such as Yusuf Islam), or they really don't exist or are being overblown in their importance or scale.
It occurs to me that finding out who is stopped would reveal (to the public) who is on the no-fly list, which is for some reason undesirable. In that case I'd like to know what the security justification is for keeping the list secret. Again, the ones on it know they are on it, or at least know they are being "prevented" even if they don't know the "source" of the denial.
So a couple of things come to mind. One is why are security guys such jerks? I have friends who work at our city's airport and they seem to feel that most of the TSA guys they deal with are pretty much people who were too dumb to get into the police academy.
The other thing is that now that these slow security procedures create such massive backlogs of passengers clustered in huge lines, you don't even need to get a bomb onto the plane anymore. Imagine if someone set off a bomb in the middle of the line for screening on Thanksgiving weekend. Probably a couple hundred or more dead and no fuss with actually getting the thing onto an airplane.
@Hans: If "the terrorists" are being stopped or jailed then they certainly know it, and have gained information about the security apparatus.
This analysis presumes that all "the terrorists" are part of a single organization that has very good internal communication. The former is unlikely to be true. It also presumes that they know they were stopped for being terrorists, rather than some other reason. It would be High Art if the TSA stopped Bad Guys without letting them know they were identified as Bad Guys.
Once you detect the Bad Guys doing something, the question of whether to let them know always arises.
One extreme is to always let them know. Problem is, then they know which Bad Guy was caught and which got through. The reason Pakistan was able to develop nuclear weapons recently is that the last time they tried (1970s?), the US stopped them by showing the Pakistanis all the US intelligence on their efforts - it was an impressive amount. So when the Pakistanis restarted the program, they knew exactly how to evade US detection.
The other extreme is to never let them know. Problem is, then they're not deterred because they think everyone's getting through. (If, for some reason, the Good Guys know they're catching 100% of the Bad Guys, then this extreme is acceptable. But no one believes he caught every single Bad Guy.)
So the Good Guys need to pick something in the middle. To an outsider this will look like the Good Guy is ineffective.
Now if only we had a reason to trust the TSA is doing it right.
re the comment replying to Hans, discussing how much to reveal: that was me, Harry. Sorry about that.
From the Article:
BS: "I want to ask you about general philosophy. Basically, there are three broad ways of defending airplanes: preventing bad people from getting on them (ID checks), preventing bad objects from getting on them (passenger screening, baggage screening), and preventing bad things from happening on them (reinforcing the cockpit door, sky marshals). The first one seems to be a complete failure, the second one is spotty at best. I've always been a fan of the third. Any future developments in that area?"
Bruce has the right framework for this.
For example, think of how we protect banks:
Do we try to prevent robbers from getting in the banks?
No, this would prove very very difficult.
Do we try to prevent bad objects from getting in the banks?
Not to my knowledge. (Someone tell me if I am wrong, please.)
Do we prevent bad things from happening inside?
Yes. We have a freaking big vault door. There are also security guards in many cases.
Think about what would happen if we let TSA manage all of our banks.
@Brandioch Conner, "He OWES the public an explanation. Without double-speak. Without obfuscation. Without claims of secrecy. He is a public servant. "
Having been an elected official who answered questions and gave explanations honestly and without obfuscation and double-speak, I can attest from firsthand experience that it makes no difference, there will still be those who make accusations of such behavior. Too many people start with the position "you're wrong, now what is it you have to say?"
A question for everyone reading this, being totally honest with yourself, are you completely free of such prejudice?
@John Kelsey, "The problem he's responsible for solving is basically impossible, ..."
It is true, people get the government they deserve.
"Having been an elected official ... blah blah blah ..."
Irrelevant. Unless you are accusing Bruce of behaving in such a fashion. Try to stick to the facts.
It is Kip's job to evaluate the risks, develop a plan to reduce those risks and get that plan implemented.
I Kip can't do that, he should hire experts who can. Bruce would be such an expert.
Kip is not doing that. Kip cannot even provide direct answers to Bruce's questions.
"A question for everyone reading this, being totally honest with yourself, are you completely free of such prejudice?"
Yes. I don't know who Bruce voted for in the last election and I don't care. I would hire Bruce for his expertise, not his political connections. And I'd have his plans checked by other security experts.
As others have pointed out, it's 2007 and anyone can drive a car bomb right through most airport terminals. And it would shut down all flights for at least a day.
The fact that the terrorists have NOT done so despite the non-existent safeguards shows that the terrorist threat is NOT as terrible as you are lead to believe.
We need SENSIBLE counter-measures. Not crap like taking off your shoes and dumping out your shampoo.
Bruce, would it be possible for you to plot one of your "attack trees" regarding hijacking/bombing aircraft? And post it?
Seal the flightdeck door and the terrorists cannot directly take control of the plane. That pretty much eliminates the "guided missile" scenario.
But they can still communicate with the pilot and demand to be taken to Cuba (example) or they will kill the passengers.
So you have air marshals (or equivalent) armed with sticks on the flights. That reduces that scenario to only terrorists who can over power the air marshal AND the other passengers.
It's interesting. During Thanksgiving weekend lines to get through screening are enormous. Several hundred people per gate system. What would stop a group of terrorists from taking a backpack full of, oh I don't know, semtex or some other high density explosive, into the security line and setting it off synchronized across the country? Who'd ever go to an airport ever again?
At some point you have to either get comfortable with the idea that some attacks will always be successful and its the operating cost of fucking over poor countries, or you need to address the base problem at hand.
The single most effective way to eliminate terrorism is to remove the desire to do so, which generally involves making people richer so they have more to lose than gain from it.
This is a hard pill to swallow though, it's difficult to get people into the idea of improving the life of that guy over there intent on killing you. Until we figure that one out, its going to continue to be about thicker armor and killing them before they kill us.
In that respect, the Israelis have excellent airport security, why don't we implement a system closer to theirs? Probably because the cost of redesigning our airport infrastructure is unbelievably large. If we're not going to work on being a better world citizen, we better get started on better infrastructure, 'cause it sure is going to take a while...
I find it interesting that Bruce mentioned that much of the interview was "off the record." I'd love to read what was left out...
how exactly does random screening make it "impossible" to engineer an attack?
"mr. bin laden, we've hit a snag in our evil plot! there's a 2% chance our operative will be randomly selected for screening before he can gloriously martyr himself!"
"why, that makes it impossible for our plans to succeed! a thousand curses on those infidel dogs!"
kip says no-fly lists actually *work* several times a month. but earlier he said several times a *week* "would be low-balling it". i guess he's changing it up to keep those terrorists on their toes:
"mr. bin laden! kip hawley's answers are inconsistent! it's sooo confusing!"
"yes, he gives me a headache! let's attack afganistan instead!"
transparency, transparency, transparency. the cia, nsa, and tsa are all agencies that are not accountable to the very people who ultimately bankroll them. i can put up with the secrecy shrouding the first two because they don't make me take my shoes off every time i travel. but the tsa essentially tells us, "i'll protect you, but it'll cost you a percentage of the money you take in. you're gonna have to follow my rules, or there'll be consequences. and don't bother asking me for proof that my protection is any good. i say it is, and that's all you need to know."
sounds kinda like your friendly neighborhood mob boss.
You could perhaps feel better by setting up employee checkpoints at entry points, but you'd hassle a lot of people at great cost with minimal additional benefit, and a smart, patient terrorist could find a way to beat you.
Replace the word "employee" with "passenger", and you get a semantically and factually equivalent statement. Yet Kip endorses passenger checkpoints while shunning employee checkpoints. Is he unable to see this, or just unwilling to admit it?
Bruce, would it be possible for you to plot one of your "attack trees" regarding hijacking/bombing aircraft? And post it?
Not if he ever wants to fly again.
“…the Israelis have excellent airport security, why don't we implement a system closer to theirs?��?
For the simple reason this would require dismissing thousands of “legacy��? private security nincompoops, welfare moms and paramiliatary wannabes working for near minimum wage and replacing them with educated and highly trained individuals who can comprehend the situation and are capable of independent and even intelligent thought.
Sorry. Is my bile showing?
A little OT but this is worth a look:
The article is titled "I'd risk flying with terrorists to escape this airport hell".
It's hard to see how the likes of Kip will ever be respected when airport security measures involve irritating milions of people.
What are the TSA going to do when the terrorists start hiding bombs in body cavities? When the get surgeons to implant them in the abdomen?
"You could perhaps feel better by setting up employee checkpoints at entry points, but you'd hassle a lot of people at great cost with minimal additional benefit" So hassling the employees is bad but hassling PAYING passengers is ok? Taking liquids from passengers but allowing a truck driven by an unknown person full of unknown materials right up to the plane is pointless. If I am going to be screened, have to take my shoes off and have all my liquids thrown away, I think all airport employees and vendors should be subject to the same security.
If we required employee screenings (where the airlines/airport was paying for it in aggravation and lost time) I bet we'd see a more reasonable approach to all this.
@Harry: "Hassling a lot of people at great cost with minimal additional benefit." _That_ should be the slogan of TSA.
LOL! I love it!
"The single most effective way to eliminate terrorism is to remove the desire to do so, which generally involves making people richer so they have more to lose than gain from it."
The perpetrators of 9/11 were mostly middle class or better Saudis. The most recent attacks in the UK were mostly well educated doctors. The Underground perps lived in the UK, not some god forsaken hole in the back of beyond. It was not a question of the Third World resenting the First World. What seems to be at work here is religious fanaticism. So how do we deal with that?
There's very few things I can think of that need to be protected 'at all cost':
Nuclear Weapons (and the information to build them [too late for that]), plus any launch codes.
Biological warfare agents and diseases like Ebola that have mega-death potential.
Disposition of strategic forces that would allow an enemy power to launch a decapitating first-strike.
Probably a couple of other things...but basically anything that would cause massive disruption of western society, mega-deaths, or destruction of the US and it's western allies.
After looking over all this TSA updating and logic streaming, I am still distrubed by the story of the Navy Seal who checked his weapon aboard a domestic flight with all the required military ID and packaging, flew back to his base, went to the baggage area and surprise, surprise, it had vaporized. And he never saw the weapon again. This happened not that long ago I might add
> I want to ask you about general philosophy. Basically, there are three broad ways of defending airplanes: preventing bad people from getting on them (ID checks), preventing bad objects from getting on them (passenger screening, baggage screening), and preventing bad things from happening on them (reinforcing the cockpit door, sky marshals). The first one seems to be a complete failure, the second one is spotty at best. I've always been a fan of the third.
I was hoping that you would ask a more numerical cost/benefit question along the lines:
2 million passengers/day x 365 days = 730 million passengers/year
2 hours additional time spent at airport due to post 9/11 changes in screening = 1460 million hours cost per year, 166,667 years
Assume average passenger has 50 years life span remaining.
The additional time spent in screening is then equivalent to 3333 lives, roughly the toll of 9/11.
"Security" is in one sense costing as many lives per year as the hijackers.
> I don't expect you to give back any of your budget, but when do we have "enough" airplane security as compared with the rest of our nation's infrastructure?
I submit that your third way of defending airplanes, coupled with pre-9/11 screening and carry-on restrictions, provides for more societal benefit than what TSA does at airports.
Greetings Mr. Schneier,
First, as a Federal Air Marshal, I want to tell you what an outstanding interview you did with Kip Hawley. Myself and my colleagues were astounded that the Kipper would actually sit for such a fact-finding and open interview –– although I must admit the Kipper did tap-dance around most of your questions.
Second, I want to inform you of the greatest TSA fraud being perpetrated against the citizens of this country, and it has to do with the employees of airports not being screened.
On January 29, 2007, CBS conducted an investigation in Atlanta and reported on how easily an airport employee could smuggle a gun onto a plane.
On February 5, 2007, CBS conducted an investigation in Chicago exposing how airport employees were not being screened.
On February 15, 2007, ABC conducted an investigation in Las Vegas, where a current and former Las Vegas air marshal went public on how easily an airport employee could smuggle guns into the secure area. The only response from TSA was that all airport employees go through "an extensive background check".
But within just a couple of weeks of all three of those warnings, two airport employees did in fact use their SIDA badges to smuggle 14 guns on a plane in Orlando. The warning bells were going off, but as usual, the government wasn't listening –– TSA is reactive, not proactive –– and this proved it.
Now I don't need to tell you what an "extensive background check" consists of, and they usually cost in the neighborhood of between 5K to 10K And there is the fraud.
Anyone working in the US Government in a job that deals with National Security, must undergo an "Extensive Background Check". They must fill out an SF-85 for Non-Sensitive Positions and an SF-86 for National Security Sensitive Positions. You can read General Questions and Answers About OPM Background Investigations to give you a better idea how it all works. As you will see, there is not much of a difference between the two questionnaires.
Nevertheless, a person mandated to have an "Extensive Background Check" would not be a person considered to be in a "non-sensitive" position –– such as most airport employees. Do you think Burger King is going to flip the bill for an "extensive background check" for a burger flipper? That's what TSA wants you and everyone else to believe.
In fact, TSA wants people to believe that they are putting every airport employees through the more extensive background investigation given to employees in National Security positions –– then again, isn't working in a secured area actually a matter of National Security? Even one of the companies that actually does legitimate extensive background checks for the government has serious quality control problems.
Want to know how TSA conducts its so called "extensive background check"? At Las Vegas airport –– and I'm sure its the same everywhere –– the newly hired airport employee goes to the airport Badging Office, sits through a boring class for a couple of hours (I know I had to sit through it), then fills out a SIDA Airport Badge application. The employee is then directed to the Las Vegas Metro Police office in the airport. They walk up to the window and hand the receptionist the SIDA Badge application. The woman enters the employee's name into the NCIC National Database and checks for warrants or felony convictions (although I'm not sure thats even a disqualifier).
Once cleared of no current warrants, the receptionist signs and stamps the application and the employee takes it back to the Badging Office. They take the employee's picture, hand them their new SIDA Badge... and off they go into the secured sterile area. That's the extensive background check! It takes about 20 minutes.
If you ask TSA what their "extensive background check" consists of, they will tell you that's SSI and not to be disclosed... how convenient.
Remember, on September 10th, none of the 9/11 hijackers had criminal warrants or records, and every single one of them would have passed the TSA "extensive background check" and received a SIDA badge in 20 minutes.
So what's the solution?
Simple: All non-law enforcement airport employees and airline crews must be screened. No exceptions.
- Anonymous Federal Air Marshal
A few months back I found myself stuck in a local airport when my flight was delayed. While wandering around fighting boredom, I struck up a conversation with an airport police officer who was standing just inside the security checkpoint. When I mentioned my belief that the security measures were largely for show, it apparently broke something loose
inside the officer's mind, and he suddenly got surprisingly candid and talkative, and together we "attacked" the security measures present.
There were three problems which he touched on which I've not seen discussed much in the press.
Problem: The security perimeter is too permeable to unchecked materials. The obvious thing to me was the near-total ban on liquids and I suggested that, in the absence of rigorous screening of deliveries, it wouldn't be difficult to smuggle in "dangerous" liquids
via the delivery service used by airport concession services. He agreed, explaining that those are screened almost not at all, and that the vendors are trusted on "an honor system."
Problem: Items and people not thoroughly screened are brought past the outer barrier. He pointed out a flaw I'd overlooked, namely that "suspicious" people (i.e., people who set off the metal detector, are selected for additional screening, etc.) are brought *inside* the security perimeter. In busy checkpoints, there's frequently enough confusion that someone who's still tainted could pass material to someone else as they're passing through the checkpoint.
Problem: Response to obvious threats isn't forceful enough. He explained this in the context of a bomb threat that he'd heard of, where someone showed up outside the airport and claimed to have a bomb, apparently with props. (Note: I can't find reference to a public
report of this, but I could be searching for the wrong thing or in the wrong places.) At the risk of misquoting him, I think he said, "I don't
mean to be insensitive, but why is that guy still alive?" Sure, it might increase the "suicide by cop" rate, but he seemed to think that someone approaching an airport, claiming to have a bomb, and carrying (or wearing) something unusual would merit a somewhat more vigorous response rather than letting the guy get to the terminal. While mental instability is a possibility in such cases, considering the cheese-with-wires stuff that's been going on, a dress rehearsal is certainly a possibility, too. Whether or not a lethal response is called for in such cases is--well, outside my usual decision-making process. Hopefully police are better trained in making such decisions.
Anyway, I thought these were interesting and candid observations, and worth passing on. Oh, and thanks for the DEFCON appearance this year. It was interesting!
What perplexes me is that some terrorist has not figured out that each security check point is a vulnerable choke point, which is a bad thing. When I say choke point think abattoir. All a terrorist would have to do is walk in there with what could be a large bomb and kill more people than I care to think about.
If you want domestic airline security to be absolute, let all concealed carry permit holders carry on the flight. This would require two things:
1. National concealed carry law. (Which will never happen, as the anti-gun lobby would wet themselves.)
2. Education of the public to the non-threat of concealed carry license holders. Hey, we really are the good guys.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.