Schneier on Security
A blog covering security and security technology.
« The Neuroscience of Cons |
| Skein and SHA-3 News »
November 18, 2008
Schneier for TSA Administrator
It's been suggested. For the record, I don't want the job.
Since the election, the newspapers and Internet have been flooded with unsolicited advice for President-elect Barack Obama. I'll go ahead and add mine.
And by "revamp," I mean "start over." Most security experts agree that the rigmarole we go through at the airport is mere security theater, designed not to make us safer, but to make us feel safer by making it increasingly inconvenient to fly. TSA's approach to security is too reactionary -- too set on preventing attacks and attempted attacks that have already happened. And please, whatever you do, resist the temptation to let TSA workers unionize. Security from terror attacks should not be a federal jobs program. You need the authority to fire underperforming screeners quickly and effortlessly. Three game-changing possibilities to head up TSA: security guru Bruce Schneier, Cato Institute security and technology scholar Jim Harper, or Ohio State University's John Mueller.
Although I'd be happy to see either Jim or John with it.
I don't want it because it's too narrow. I think the right thing for the government to do is to give the TSA a lot less money. I'd rather they defend against the broad threat of terrorism than focus on the narrow threat of airplane terrorism, and I'd rather they defend against the myriad of threats that face our society than focus on the singular threat of terrorism. But the head of the TSA can't have those opinions; he has to take the money he's given and perform the specific function he's assigned to perform. Not very much fun, really.
But I'd be happy to advise whoever Obama choses to head the TSA.
The job of the nation's CTO would be more interesting, but I don't think I want it, either. (Have you seen the screening process?)
Posted on November 18, 2008 at 1:46 PM
• 63 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
If you're offered it, please reconsider.
Actually, I nominated you for head of Homeland Security.
I agree, you need a much more far-reaching office to deal with the inanities of American Security Theatre.
Sadly, you inability to write a book endorsed by Oprah is proving to be a major stumbling block.
Pournelle's Iron Law of Bureacracy strikes again!
The vetting process will eventually eliminate anyone who has ever done anything!
You certainly can't game the system any more. Zoe Baird and Kimba Wood proved that.
"The purpose of government is to hire and pay government workers."
Actually, I don't think Schneier should be head of Homeland Security. HS deals with too much black. I think Schneier would pull his hair out when dealing with projects which he not only can't tell everyone about, but he can't tell everyone that he can't tell everyone about it.
I don't want you as TSA Admin - I want you as the head of DHS.
I find it heartening that the current administration is proposing a Chief Officer and not a czar. Subtle but better.
And Bruce, the world could use your advice in a more official capacity. I'll second the idea that you should reconsider if a post is offered. The stupidity of the process is overshadowed by the good that you could do in the position.
In all honesty, it is probably far more difficult than any of us critics viewing limited information from the comfort of our offices would like to admit.
I think the liquids ban, for example, is mostly theatre against terrorism, since terrorists will find another way (probably not involving planes next time). That said, if some novice copycat that has lost his marbels was to blow up something on a single plane resulting in a highly publicized incident and great financial loss due to customer fear, I'd really hate to be the guy on the hot seat trying to explain why we ignored a previously published risk even if my defense was the absolutely correct assessment that it wasn't worth it.
Please don't take that as me saying things are efficient. I think a great deal of scrutiny is deserved, but we should also concede that while they are inefficiently doing a job, it is probably not as easy of a job as we may think.
I'm glad this is the internet, so I don't have to duck! *grin*
Being considered for this sort of thing must be heady stuff, but if you do get some kind of offer, think about it very carefully. The Federal TLA bureacracies have a way of eating up outsiders brought in to lead them, and spitting out the clean-picked bones. Remember Les Aspin, the professorial defense intellectual, who went to DOD, and discovered he couldn't get them to do anything he wanted?
No offense, Bruce, but you've never run anything big enough to have a good feel for what running something like TSA would be like. If the Obama administration should succeed in talking you into some kind of senior role, make sure you bring along an experienced bureaucratic infighter with whom you see eye-to-eye, to ride shotgun for you.
From the article quote: "And please, whatever you do, resist the temptation to let TSA workers unionize. Security from terror attacks should be a federal jobs program. You need the authority to fire underperforming screeners quickly and effortlessly."
It's not surprising to see a Fox News commentator take a cheap shot at unions. Unions and professional organizations represent millions of emergency and security workers, from cops through doctors. And they provide a valuable additional protection against government abuses of power, such as hiring and firing people based on political beliefs or other non performance-related issues.
I get your point, but Unions do have the unfortunate side effect of making it difficult to fire poor people. That's not to say they do no good, but it is to say it comes with a cost.
I don't see where there view being different than yours as a cheap shot on their part.
i work in for a division of the federal govt. it is extraordinarily frustrating when someone who is not competent, and does not have the skill to do what they do, and as a result are in a position to harm the public through their ineptitude, cannot be dismissed without going through anywhere from 12 - 24 months of "process" to remove.
i agree in protecting worker's rights, but not at the expense of castrating the employer to the detriment of the organization, the public, and the rest of the workers who ARE capable of doing their jobs. to quote dennis miller: "but that's just my opinion... i could be wrong".
@John: "I'd really hate to be the guy on the hot seat trying to explain why we ignored a previously published risk even if my defense was the absolutely correct assessment that it wasn't worth it."
Speaking also of hot seats, it can be viewed similarly to the ankle bracelets on babies in hospitals. Infant abdunction is rare, and money is probably better spent on more significant risks (for example, far more babies fall victim to SIDs than abductions). However, nationwide, it may happen. So, if one day the TV is lit up with an alert to find an abduction at another hospital, and I receive a call to come before the board... *queue the darth vader music*
Board Hotshot: "What are we doing to prevent infant abduction?"
Me: "We have trained our staff and have cameras installed."
Board Bigshot: "Why aren't we using bracelets?"
Me: "Abduction is rare, and our resources are best used for more common threats. The bracelets aren't worth the money for an unlikely event."
Board Hotshot: "What do you mean not worth the money? Have you seen the news? How can you claim it won't happen? Did you get your degree out of a cracker jack box?"
Pink slip time. Even though I'm not responsible and I was right.
Sad but true. Same could apply to security elsewhere, such as TSA.
If you want to directly affect budgeting decisions about who gets how much then I think you would have to run for Congress.
I want Bruce for Secretary of State. What is diplomacy if not social engineering? And what are treaties if not security policies?
Ain't nobody gonna con Bruce.
Bruce is best speaking truth to power. He's a generalist in a specialized field. He shouldn't be head of a government department. Not yet, anyway.
But he should be on advisory panels.
Anyone who *wants* to become head of the TSA is incapable, by definition.
The Department of Homeland Security should be disbanded. We already have a Department of Defense that is charged with protecting the homeland.
The best placement for Bruce Schneier is that he remain where he is now. He is on the outside and has freedom to criticize.
>> You need the authority to fire underperforming screeners quickly and effortlessly.
I hate to point this out, but this is one strong advantage of contract security.
You can't fire an underachiever. But you can pick up the phone and require that they be replaced. Today.
So why did Globe Aviation, owned by Securitas AB, not detect the hijackers at Logan airport in Boston? Among other lapses, FAA regulations permitted passengers to bring blades less than four inches long through security.
If you buy cheap security, don't be surprised at what you get.
If you don't exercise intelligent oversight and management, you are merely throwing away money regardless of what kind of security you think you're buying.
I don't see how making airport security a Federal monopoly-bureaucracy has helped matters any. I shudder at the thought of TSA unions.
I agree with Eric Norman that the DHS should be disbanded, it's a complete boondoggle from the top down. The entire intelligence community including the respective roles of the pre-existing agencies needs a complete overhaul. Hercules needs to reroute the Potomac through the Pentagon one time, if you get my drift.
I don't agree that Bruce would be more effective on the outside, although from a personal perspective he's definitely better off there. On the inside, he'd be able to better ax the deadwood (on both a policy and personnel level). The only problems are that he would have to deal with a lot of sordid stuff, and eventually he'd be at risk for one of those mysterious "accidents" or "suicides" because he WOULD blow the lid completely off any real nastiness he found if he felt the American public would be better off knowing about it.
Board Bigshot: "Why aren't we using bracelets?"
Me: "Abduction is rare, and our resources are best used for more common threats. The bracelets aren't worth the money for an unlikely event."
SomeSmartGuy: "The money we saved by not using bracelets was used to save the lives of more than 10 critically ill babies. Do you want to kill 10 babies to save one? Are you a babykiller, sir?"
"Although I'd be happy to see either Jim or John with it." that's not very nice Bruce to throw away the poisoned apple ;).
@SomeSmartGuy: "The money we saved by not using bracelets was used to save the lives of more than 10 critically ill babies. Do you want to kill 10 babies to save one? Are you a babykiller, sir?"
That would be true, but that probably wouldn't shush a bigshot looking for good pr.
How about Bruce Schneier Director of NSA/CSS?
do you think Bruce would let the government take his freedom to criticize?
The "securitiy theater" of the TSA is a direct result of the "government theater" of the government.
The head of TSA isn't there to form a truly effective deterrent; he is the performance director appointed by Congress.
"And please, whatever you do, resist the temptation to let TSA workers unionize."
In a letter to the president of the AFL-CIO before the election, Obama already pledged to support "collective bargaining rights" for TSA employees. He also promised:
"As President, I will make sure that the documented waste and mismanagement at TSA is subject to the same rules regarding contracting as other federal agencies. This year, TSA gave an enormous $1.2 billion sole source contract for human resources services without regard to the rules that require them to allow current TSA employees to compete for that work."
bruce, i say they create a chief marketing/pr officer for the TSA. you'd be ideal for creating the message, explaining the nuances and meaning, as well as fielding feedback. leave the ongoing maintenance/details to ops.
I had John Mueller as a professor at Ohio State. He is one cankerous SOB, but right about the over stated threat of terrorism. I have some insight into security theater as I am Loss Prevention Manager for a major corporation. We utilize EAS tags, however we do not have the EAS towers at the doors. Even if we did, I could not stop a customer for the beep alone. Security theater pure and simple and besides they do not stop the professional thieves. The TSA acts very much like the EAS tags I am forced to use. They stop just enough amateur plots to justify the investment when it is the professionals that we should attempt to detect through intelligence. The TSA was never designed to stop professional terrorists.
What most commenters appear to have missed is the primary job function of any appointies job.
It is effectivly hidden away in the, 63rd is all-encompassing question,
"Please provide any other information, including information about other members of your family, that could suggest a conflict of interest or be a possible source of embarrassment to you, your family, or the president-elect."
Of which the only important bit is,
" ...source of embarrassment to... ...the president-elect."
That is without doubt the soul selling job requirment that would enslave an (outsider) appointee.
It has sealed the fate of anybody trying to make changes that the (insider) "unelected officials" don't like.
They simply make a few phone calls to "friends outside" who then engineer a situation.
When the time is right said official then "pulls the fat out of the fire" but in return require their policy endorsed (this is of course a gross over simplification of what an astute insider political operator would do by proxie through their established power base).
The only thing of real interest to these "unelected officials" is "turf".
As an "outsider" brought in it is unlikley that you would have a protective powerbase "inside".
Therefore you end up in a "do as we say to keep the job" position.
There is nothing quite as corupt as a "Well respected official" on the inside.
If the President-elect is serious about reform then he must accept that to do the required decapitation job you need people with proven ability which means they have blood on their hands...
If you will get the offer, think twice.
There is leadership, management, and consultancy and they differ.
IMHO Bruce would make a solid consultant to the leadership, but wasted as management.
The TSA in particular is an object lesson in waste management. ;)
Well, perhaps the notion that the head of a department should defend and expand its budget should also be turned on its head. Proudly announce that, if appointed, your goal will be to halve the TSA's budget with no reduction in quality. See what happens.
It should be a safe claim, since reductions in quality would be impossible to achieve in any case.
If you got the offer - I'd vote for you.
"...Security from terror attacks should be a federal jobs program."
Actually, the original article had an extremely significant "not" in there. And I would be surprised to hear Bruce say otherwise. [if for no other reason than blogs dont have voices]
I kind of wish he would take the job. I've always wanted to see the self-proclaimed best quarterbacks (the Monday morning quarterbacks) suit up and show us how it is done.
Andrew saith: "So why did Globe Aviation, owned by Securitas AB, not detect the hijackers at Logan airport in Boston? Among other lapses, FAA regulations permitted passengers to bring blades less than four inches long through security.
If you buy cheap security, don't be surprised at what you get."
Wait, so, you're blaming the hijackers getting through Logan airport security on the contract security guards not preventing the hijackers from bringing something they were allowed to bring on the plane, onto the plane?
For the record, I flew with a knife on September 10th. We will note that no planes were hijacked that day. If I'd been flying a day later, and out of the right airport... well, who knows what would have been the outcome. (Yeah, yeah, I know, internet commando talk.)
You have misquoted Mr. Balko's piece at the FoxNews website. He says "Security from terror attacks should not be a federal jobs program.", but your version leaves out the "not".
> Among other lapses, FAA regulations permitted passengers to bring blades less than four inches long through security.
1) This is, as you say, a reg not an independent decision by the contractor.
2) How is it a lapse? I carried a small knife on a/c a lot before the bans-on-everything, and hardly ever took over the plane with it. The will (and perhaps lack of threat understanding of an a/c takeover by everyone else) is more important than the tool.
>2) How is it a lapse? I carried a small >knife on a/c a lot before the bans-on->everything, and hardly ever took over >the plane with it. The will (and perhaps >lack of threat understanding of an a/c >takeover by everyone else) is more >important than the tool.
Thank you Steven. I always carry a pocketknife and have always used it as a tool and never a weapon. Before 9/11 I used to put it in the little basket and go right on through security with it.
Now the process has changed a little. I can't be trusted with my pocketknife on the plane, so I put it in my checked bag, TSA steals it out of my check bag - sometimes leaving a nice note, and subsequently sells it on Ebay. But we're all safer for it I'm sure!
Interestingly, Titanium doesn't set off the metal detector, so I never get tackled for wearing my watch.
@perhaqr: "Wait, so, you're blaming the hijackers getting through Logan airport security on the contract security guards not preventing the hijackers from bringing something they were allowed to bring on the plane, onto the plane?"
On one hand, a terrorist can try 100 times to get a bottle of liquids on the plane with no consequence (they throw it away, no concern). On the other, since it was published that terrorists tried to take down a plane using bottles of liquids, some idiot not affliated with any organized terror, perhaps a McVeight style nut job, may in fact blow himself up by copying what he read in the paper. It seems having the liquid ban is ineffective against terrorism (since there is no consequence, and organized terrorism will find another way), but not having it may not be the best either. It only takes one nut job that we have no reason to be afraid of to do damage on one plane and the whole industry is damaged.
I personally think the liquids ban would be more effective if every confiscated liquid was bagged and tagged (with information about the person who confiscated it), giving some means to trace it back if it was in fact found to be something dangerous. Then again, that no doubt has holes as well.
No easy answers.
In regards to the pocket knife discussion, I used to have one on my key ring as well. Thousands do and never taken over a plane. However, after 9/11, considering PR, reputation, and passengers feeling of security (not necessarily security in itself), what decision-maker in their right mind would want to tell the public they aren't concerned with small knives so long as the cockpit door is secured? Sometimes, as we've read in columns on this site, a little theater is good for business at times since you need passengers to feel secure to get to buy products (be it packaged foods they fear may be poisoned, hospital choice when they fear their baby may be abducted, or airline travel if they freak out when they see a 1 inch blade on a key ring).
There are costs both ways.
> But I'd be happy to advise whoever Obama choses to head the TSA.
Having already said that the head of the TSA has too little scope for action, this seems an incomplete option.
If you've the opportunity to advise Obama regarding who to head the TSA, you'd also be able to opine about the TSA itself.
Were the opportunity to present itself, you'd come close to your goals by changing the straight jacket, not the wearer.
Rather than taking a position, bringing you in as a consultant in an adviser role might be the better solution.
Dear Mr. Schneier,
with all due respect to your decision about the position as head of the TSA, please allow me to ask You to reconsider.
If you take the position, it would only take half a day to shut down and disband TSA, thus ending a waste of taxpayer money and needless inconvenience to travellers all across the nation.
You could take the rest of the day off and relax. On the following day, you could return to BT Counterpane and do something productive and useful. :-)
Too bad. We need qualified people up there.
We also need to figure out a good copyright czar, lest we get left with an industry hack.
If you think the TSA has no purpose, you are mistaken. Inefficent? Yes. Too much theater, yes, even though to comfort a jittery public may be more necessary than we care to admit.
Your post seems more a cheap shot than anything.
The TSA needs reassessed, not removed, in my humble opinion.
I actually went to change.gov the day after it went up, and suggested that you become in charge of all security in the United States. No specific position in mind, but something that allows you to make executive decisions across multiple government departments/agencies. If any opportunity arises from this presidential transition for you to make a positive impact on our security in this country, I hope you'll accept it.
@Buckeye - "I had John Mueller as a professor at Ohio State. He is one cankerous SOB"
Oh, wait - did you mean "cantankerous"?
It depends on the amount of Ti and the sensativity of a reader, however it can be detected.
"It's not surprising to see a Fox News commentator take a cheap shot at unions."
I didn't even see this as a shot at unions. TSA work is a distasteful job, and I don't want them to have the better conditions a union would bring about. The TSA should be disbanded rather than unionized.
"On the other, since it was published that terrorists tried to take down a plane using bottles of liquids, some idiot not affliated with any organized terror, perhaps a McVeight style nut job, may in fact blow himself up by copying what he read in the paper."
The joke of it is, they could "try" but the mixture they attempted would NOT have worked. Theregister had an article about this, several people tried to duplicate this (not in a plane of course!) to see if it'd work. If it was mixed JUST right (like within a fraction of a %) it probably would have scorched the guy's leg if he was in the bathroom or his seat trying to suicide bomb the plane. Otherwise, it'd fizzle or kind of lazily smoke a little, or do nothing. Well, plus as has been shown, if you claim your tubs of mystery liquid are eye drops they let you right through 8-).
Plus, you can bring one for each eye...
Fair enough. I'm not saying its always rational. I'm just saying there is more to consider. While a person is generally intelligent and can be reasoned with, people as a whole are panicky and unpredicatable. It's similar to what Bruce wrote about infant bracelets as a poor control--a mother that heard of infant abduction the day before her birth needs to feel safe letting her baby out of her site. Likewise, many people that heard of shoe bombs or liquid explosive attempts may likewise need to feel a bit safer.
As a security professional, I've often dealt with the difference between rationalizing with a person and trying to deal with people. It is surprisingly different.
I'd rather see the TSA eliminated. Give the job to the Coast Guard. They protect our waterways, why not our airways? Their basic mandate is keeping civilians safe.
They do have civilian law enforcement duties in boating safety regulations, so it wouldn't seem as though we were becoming a scary a police state as it would if Marines were checking your carry on luggage. And the Coast Guard doesn't have a reputation for frivolous regulations or "security theater". The Coast Guard has no union representation. You also would not have anyone working the job for so many years they become burned out by it.
I always find this railing against unions humorous (and simply stupid). Why this assumption that the "firer" is competent? That giving people at upper administrative levels a free hand is likely to lead to good results, while give people at a lower administrative level a free hand is likely to lead to incompetence?
It's particularly funny when you consider that most of these buffoons will simultaneously complain about the incompetence and malice of upper administrative levels, often going to the "black helicopter" edge.
Everywhere is fantasy land.
Unionizing this would be terrible. I've noticed that when your job is solid, you slip; when I make mistakes at my job, I pretty much handwave it away because 1) if I break something, I fix it, and nobody cares; and 2) at the end of my shift, if there's something that should be done, my shift's over and I can walk off with no responsibility. I've done both a couple times but my conscience and personal integrity gets to me.
The unionized cleaning staff here, however, is useless. We call them to do something, and 5 hours later they didn't do it. Once this had to do with removing hazardous objects (broken glass) from an area; they didn't come to do it at all, and when they got called and asked a second time because "nobody has come up yet" they sent someone up first to argue with us, who spent about 20 minutes explaining that "it's not that it wasn't done; it just wasn't done -well- according to what -you- want." We got chewed out about how we're NEVER to say that maintenance and cleaning "didn't" do something. Then someone else came up 2 hours later. Other things we've reported have gone completely ignored.
I could imagine being a union worker at a TSA checkpoint. I'd probably just wave a wand at things, and stare vacantly at a screen; no knife, but "suspicious" objects that don't fall strictly into the list? Pff, why do I care? I'm not getting metered for this, I get a paycheck as long as I stare blankly at the screen. They can't fire me anyway, I can complain to my union.
Why think small? Schneier for National Security Advisor.
While I agree that Bruce would make a great, positive splash at or any national security agency, much of what he describes as "security theater" performed by the TSA is mandated by law. He couldn't stop screening if he wanted to.
That being said, it would be amazing to see what he would be able to do! I think his offer to advise the next Administrator is exciting and will afford him the opportunity to affect change without compromising his creative thinking.
re: CTO and screening process...
Dear Bruce, I hope you reconsider on the CTO thing.
I doubt Hillary Clinton went through the intense screening process described by the NYT. Or Rahm Emanuel? That process is for cold calls. I'm guessing that a highly qualified and vetted individual such as yourself could fairly easily get an opportunity to talk seriously about a job without (or at least before) such an invasive process. Now of course, once in public office, life changes a lot. But you're already more famous than Chuck Norris. =)
If it was up to you, you would get rid of all unions, including police, fire, paramedic, customs, imigration and border patrol and replace them all with private contracted firms, that way you and all your corporate buddies could have a field day with all our tax payers money.
Haliburton and blackwater probably are in your eyes
the answer to our problems, that's because you view things from a corporate point of view.
Maybe it bothers you that someone can make a decent living without graduating from an ivy league school?
Let me remind you that one of the biggest reasons that 911 happend, was that it was the private security firms that the airlines contracted, with their English speaking and very motivated and well payed employees that screened those SOB's.
If you believe a private firm can do better, I have some great Everglades land for sale!
The reason TSA was not given union rights is that with a Republican administration and Congress in charge at the time, TSA was originally only going to be around for a short time and a Union would have made it difficult for the private firms to take over once again.
Once Republicans lost Congress and private security firms with their well educated, motivated, well payed AMERICAN eployees lost liability court cases, that put a big monkey wrench into the private sectors plans to take over security at our nations aiports.
In short I hope you and your private corporate friends have nothing to do with our security, I rather have a Federal Union Officer looking out for me than some private security guy that just got his dollar raise for the year. ; )
Edthetraveler, if that rant was directed at Bruce, you need to read more carefully. If it was directed at someone else, you need to write more carefully. Either way, it would help if you hit return twice between paragraphs.
Dear Mr. Moderator,
If the shoe fits, wear it.
Here's your hit return twice, for ya!
Edthetraveler ; )
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.