Schneier on Security
A blog covering security and security technology.
« New ATM Skimming Attack |
| The Withdrawal of the A5/2 Encryption Algorithm »
November 25, 2010
The DHS is Getting Rid of the Color-Coded Terrorism Alert System
Good. It was always a dumb idea:
The color-coded threat levels were doomed to fail because "they don’t tell people what they can do -- they just make people afraid," said Bruce Schneier, an author on security issues. He said the system was "a relic of our panic after 9/11" that "never served any security purpose."
I wrote this in 2004:
In theory, the warnings are supposed to cultivate an atmosphere of preparedness. If Americans are vigilant against the terrorist threat, then maybe the terrorists will be caught and their plots foiled. And repeated warnings brace Americans for the aftermath of another attack.
The problem is that the warnings don't do any of this. Because they are so vague and so frequent, and because they don't recommend any useful actions that people can take, terror threat warnings don't prevent terrorist attacks. They might force a terrorist to delay his plan temporarily, or change his target. But in general, professional security experts like me are not particularly impressed by systems that merely force the bad guys to make minor modifications in their tactics.
And the alerts don't result in a more vigilant America. It's one thing to issue a hurricane warning, and advise people to board up their windows and remain in the basement. Hurricanes are short-term events, and it's obvious when the danger is imminent and when it's over. People can do useful things in response to a hurricane warning; then there is a discrete period when their lives are markedly different, and they feel there was utility in the higher alert mode, even if nothing came of it.
It's quite another thing to tell people to be on alert, but not to alter their plans, as Americans were instructed last Christmas. A terrorist alert that instills a vague feeling of dread or panic, without giving people anything to do in response, is ineffective. Indeed, it inspires terror itself. Compare people's reactions to hurricane threats with their reactions to earthquake threats. According to scientists, California is expecting a huge earthquake sometime in the next two hundred years. Even though the magnitude of the disaster will be enormous, people just can't stay alert for two centuries. The news seems to have generated the same levels of short-term fear and long-term apathy in Californians that the terrorist warnings do. It's human nature; people simply can't be vigilant indefinitely.
Another alert system to compare this one to is the DEFCON system. At each DEFCON level, there are specific actions people have to take: at one DEFCON level -- and I'm making this up -- you call everyone back from leave, at another you fuel all the bombers, at another you arm the bombs, and so on. What actions am I supposed to take when the terrorist threat level is Yellow? When it is Orange? I have no idea.
EDITED TO ADD (11/25): Good observation:
The DHS National Threat Advisory is a public alert system. That a public alert system is indicating imminent disaster is not surprising. In fact it's inevitable. It's the nature of public alert systems to signal imminent disaster at all times. I've composed "Blakley's Law" (next time I come up with one of these I'll rename this one "Blakley's First Law") to describe the phenomenon:
"Every public alert system's status indicator rises until it reaches its disaster imminent setting and remains at that setting until it is retired from service."
It's easy to see why Blakley's law holds: if something terrible happens and the alert status didn't predict it, the keepers of the alert status will be blamed for not preparing us for the disaster. Setting the alert status to "Disaster imminent" when no disaster is likely costs the public some money and mental health, but it doesn't hurt them in other ways. On the other hand, setting the alert status to "Don't worry, be happy" just before a disaster does happen is the worst case for everyone - nobody prepares for the disaster, and the people in power lose their jobs for failing to prevent or prepare for the crisis.
Posted on November 25, 2010 at 6:39 AM
• 43 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"at one DEFCON level -- and I'm making this up -- you call everyone back from leave"
Heh. I had to read that twice. You're like the anti-Dave Barry.
The best mocking of this system is here:
I think the UK is currently the equivalent of Threat Level 'Bert', but we'll no doubt go to Ernie or even Elmo before the Olympics....
Confused? Check the link.
Let's see if the French government takes note and also gets rid of its Vigipirate thingy: now the orange means nothing but some armed soldiers roaming around train stations.
To follow-up, I think everyone agrees that we can't stay at Elmo for long periods - or even Ernie. But if local areas move from Oscar through to Ernie (e.g. Olympic venues, Royal Wedding sites) the direction to be vigilant may be of limited use.
Of course, this could be equally applied to enterprise IT security "Due to PDF zero-day attacks, we are at Threat Level Elmo." - but like the SANS system, only the most rough of systems (say, Oscar, Bert and Elmo) is of value. Even then, knowing to 'be alert' is highly limited, when compared to the value of 'be alert for a specific threat' e.g. "We are at Elmo due to a PDF zero-day worm."
This was nailed a little while back with "Blakley's First Law":
'Every public alert system's status indicator rises until it reaches its disaster imminent setting and remains at that setting until it is retired from service.'
Just a moment to wish everyone a Happy Thanksgiving Day.
No alerts needed here.
I'm so glad you cleared this up. For a long time now, I've understood the colors as dress codes. I had a little trouble finding and orange suit, but I managed to find one in a used clothing store.
Thank goodness I won't have to wear that ugly thing again.
Much more effective in the DoD are the Random Anti-terrorism Measures (RAM). This is a list of actions, such as 100% hands-on ID checks, gate closures, door closures, shutting all the windows and blinds, &etc. that are intended to disrupt normal activities. The list isn't huge, and some of the measures seem a little ridiculous, but overall they're decent.
At different Force Protection (FPCON) levels, a certain number of RAMs must be implemented in an organization or site where the FPCON applies. RAMs must also be changed with a certain frequency. Some locations actually select the RAMs for the whole locale, some don't.
The idea is a good one. Covert plans rely on understanding the normal operations of the target. RAMs disrupt that aspect, make planning more complicated, and execution less assured.
Why can't TSA do something similar?
threat level action chart
green = low = still be very afraid
blue = guarded = distrust everyone
yellow = elevated = blood pressure
orange = high = pee your pants
red = severe = SUBMIT, OBEY, SHUTUP!
aka ann archy
I still prefer the two level action chart:
Level 1 = "Get a helmet"
Level 2 = "Put on the fricking helmet"
Unfortunately I can not remember where I heard about it.
>>What actions am I supposed to take when the terrorist threat level is Yellow? When it is Orange? I have no idea.
I thought DHS cleared this up years ago:
yellow = buy duct tape and plastic wrap
orange = make a home made gas mask out of duct tape and plastic wrap
red = put on gas mask and suffocate
The problem is that "Blakley's First Law" doesn't quite work as written. It has one significant flaw, in that there are real-world examples of useful alerts. Flood alerts, tornado alerts, or any sort of weather alert really, are prime examples.
The difference, of course, is that the useful real-world public alerts have qualities that the color-coded terror alerts don't have. The key difference for this particular "law" is that they are based upon demonstrable factual predictors. When the weather man says, "Watch out for snow storms", he actually has a valid, demonstrable, fact-based reason for saying to do so. The creators of the color-coded terror alerts do not.
So, how about, "Unless based upon demonstrable factual predictors, every public alert system's status indicator rises until it reaches its disaster imminent setting and remains at that setting until it is retired from service."
News to be thankful for. Thanks, Bruce.
But...but....but...How will we know when to be afraid and where and why?
This let's me be afraid all the time, everywhere for no reason at all.
I wonder how much the program cost?
Why is everyone so down on the level system? It's really easy.
It's currently elevated, having most recently in 2005 been lowered to elevated from high, which is more elevated than elevated, but high isn't as high as the highest level. The highest level is severe, which is the level that is more elevated than high, which in turn isn't the highest level, but is more elevated than elevated and guarded, which is less high than high and elevated, but more elevated than low. Less severe than severe, high, and elevated is guarded, which is higher than low but less elevated than elevated. Low is the lowest. Guarded is more severe than low, but less elevated than severe which is higher than high which is elevated more than elevated which is more elevated than guarded. Simple!
Dropping this useless scheme means that there is at least one sane, sensible person in bureaucracy. Have to give praise when due. It is thanksgiving after all!
The army has a relatively simple one.
black = no worries
black-alpha = be a bit worried (IRA in the news this week)
amber = specific attack warning
red = this base under imminent or actual attack
The funny part was that the security services had the same system but they had codenames for the levels, so black was 'bikini', that really confused the KGB !
> Another alert system to compare this one too is the DEFCON system.
This blog's typo alert system just jumped a level --- you meant "to", not "too".
It's strange that in Israel, where they long resisted threat warning levels on the basis of why would you tell terrorists you're on min or max alert, now seem to be looking at a new alert system - http://www.dailytech.com/...
but I guess those relate to specific rather than general threats.
Sadly, the Army moved away from the relatively sensible BIKINI ALERT system a few years ago.
Now there is the the muddled threat level / response level system.
The threat level is the UK pan-Government one where it runs LOW, MODERATE, SUBSTANTIAL, SEVERE, CRITICAL (and its anyones guess how they really split hairs between them) and these map to one of three response levels: NORMAL (for LOW/MODERATE threat), HEIGHTENED (for SUBST/SEVERE threat) or EXCEPTIONAL (for critical threat).
In theory, each location should have a plan of what to do at a given response level but as the UK doesnt seem to have gone below HEIGHTENED since the system came in, I have no idea what would constitute "normal" (and yes, surely there is the argument that if you have a certain response level on a normal day, it should be normal...).
But before I get too sentimental about the BIKINI system, does anyone ever remember how many times it went to BLACK? Certainly for my career in the Army it went from BLACK ALPHA to AMBER a few times, rarely to RED and then in about 2001 it dropped to BLACK for a brief period (cos PIRA were actually committed to a cease fire), however very quickly BLACK SPECIAL was invented to account for the new slightly elevated level.
I actually dont think any Anti-Terrorist warning level will ever make sense.
The terrorists are close, the terrorists are not so close, the terrorists have hit.
We're better off watching CNN than looking at a threat level.
@GreenSquirrel - took me a few minutes to figure out that PIRA was the Provisional IRA.
I'd expect that any such alert system would gravitate towards the second-highest level, since highest would imply some action should be taken to reduce the threat. So I was expecting that the threat level would remain at "Orange" until people realized the system was dumb.
Does Blakely's Law apply to the Doomsday Clock?
Attackers are colour blind...
I was just looking for that!
I don't *ever* remember it having gone down to Oscar, or even Cookie Monster?, since 2001. Clearly there's a low signal-to-noise ratio in the message they are sending the public, since they haven't even bothered to start at the bottom and use the full range of choices. I was waiting for them to add more, too - a dark red one at the top, no make that black, called the "Extreme" Terror Threat Level!. [/sarcasm]
Wonder if Symantec will get rid of their silly ThreatCon logo now.
Case in point was the day before the 7/7 attacks in London when the threat alert level was actually lowered.
I propose we develop a new 'description-coded' terrorism alert system, where instead of colours we use the intrusiveness of TSA searches to describe the perceived threat of terror:
-'You look Caucasian, off you go!'
-'shoes off, please!'
-'can you please step out of the line, sir!'
-'your laptop password, please!'
-(sound of rubber gloves being put on)
The DoD uses a similar "force protection condition " (FPCON) system which starts at "normal" and proceeds through "alpha" to "delta" Of course "normal" is a misnomer because it has never been, nor will it ever be "normal," for the reasons Blakely stated.
I used to live on a UK army base 25 years ago and I recall a "BIKINI alert" warning on the wall with various levels. I think it's somewhat analogous to DEFCON but the name is a little bit kinkier.
Lister: The red, green and blue alert signs are all flashing. What the smeg does that mean?
Kryten: Well either we're under attack sir, or we're having a disco.
Actually, it's quite easy to take action on the warning that California is due for a major earthquake sometime in the next 200 years.
Head to to the frozen, quake-free tundra of Minnesota. Tell your family to avoid the sunny promised land for ten generations, or until the Lord has visited a grievous judgement upon it, whereupon you can return en masse like the children of Israel. :)
I think a lot of people are doing this anyway. Probably has more to do with the taxes and gun laws and dismal economic future though.
PS--This blog has been one of the great discoveries of my year. Thanks Bruce and keep up the good work!
Big fan of your blog, thanks for this posting!
Bruce, Heading to the basement during a hurricane (a weather event characterized by flooding and water surge) is usually not considered the best of ideas.
-'You look Caucasian, off you go!'
Weird. Why would Caucasians, most of whom are Muslim and who have already blown up several russian planes and schools, get a free pass ?
People don't say weird things like this in Europe. I don't understand. Is this a USA thing ?
@vwm It was Ron White. You said it before I did. LOL
We have this system on a smaller scale in my home town. We have sirens that go off loudly whenever there is NOT a tornado. (or rather the inverse, ie whenever the sirens DO go off the one thing you can count on is that there is NOT a tornado in the vicinity.)
The 6-8 times (in 22 years of living there) that there HAS been a tornado within 10 miles of my house they did NOT sound; however they have sounded probably 30 times in that same period for: testing, new installs or by accident. (presumably they go off every first monday of a month at noon, but I am usually at work and dont get the benefit from those.)
The closest they ever came to being useful was once about 5 years ago when they went off approx 10 minutes AFTER a tornado had passed through and beat up the nearby shopping mall. Kind of an "all-clear" signal.
@foo12: I don't know if you're being facetious, but it's a US English thing -- The "white people" are the "Caucasians" in the US.
weird. what does white have to so with religion ?
the word Caucasian itself refers to the white
people of the caucasian mountains who are mostly Muslim. so are the white ( but not caucasian mountain people) of Albania, turkey, central Asia. north Afghanistan etc., so I'm not sure what yr logic is. I am genuinely confused.
@Jim "The DoD uses a similar "force protection condition " (FPCON) system which starts at "normal" and proceeds through "alpha" to "delta"...
Thanks for 'memberin' this. I was thinking about it too. They also have an INFOCON and a DEFCON system. And the difference here is the population responding to FPCON is limited and trained.
The actions required are specific, certain and doable.
The areas applied to are limited and enforceable.
These make the systems work. I'm not sure limited population is a requirement but training certainly is. DHS refused repeatedly to modify the system to be geographic or assest specific. Are ships under the same risk as air craft? How 'bout New York City and Boise ID.
This lack of specificity, and Karl Rove playing political games with it bringing it into disrepute, are what made everyone ignore it. After Rove was booted and the campaign won it moved to Orange and stayed there. Hmmm yes lighting may strike anywhere. Which is I think human's basic risk estimate anyway.
Yes, foo12, we get it. You're not from the US, and you find US idiomatic usage sometimes confusing. Thanks for sharing.
I am, however, sad to hear that they don't have Wikipedia wherever you're from, as it could have cleared up your questions on this issue, and doubtless many others, in short order.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..