Schneier on Security
A blog covering security and security technology.
« Recording the Police |
| Interview with TSA Administrator John Pistole »
December 22, 2010
Adam Shostack on TSA Threat Modeling
I've said before and I'll say again, there are lots of possible approaches to threat modeling, and they all involve tradeoffs. I've commented that much of the problem is the unmeetable demands TSA labors under, and suggested fixes. If TSA is trading planned responses to Congress for effective security, I think Congress ought to be asking better questions. I'll suggest "how do you model future threats?" as an excellent place to start.
Continuing on from there, an effective systematic approach would involve diagramming the air transport system, and ensuring that everyone and everything who gets to the plane without being authorized to be on the flight deck goes through reasonable and minimal searches under the Constitution, which are used solely for flight security. Right now, there's discrepancies in catering and other servicing of the planes, there's issues with cargo screening, etc.
These issues are getting exposed by the red teaming which happens, but that doesn't lead to a systematic set of balanced defenses.
As long as the President is asking "Is this effective against the kind of threat that we saw in the Christmas Day bombing?" we'll know that the right threat models aren't making it to the top.
Posted on December 22, 2010 at 7:15 AM
• 32 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Interestingly however, the International Air Transport Association is proposing the opposite: that travelers be divided into three groups based on perceived threat level, and only the small portion in the "high risk" group be screened, while everyone else is allowed to walk through with a cursory check.
Of course security analysts would be right up there in the 'high risk' category. And people with beards. And people who happened to born in Somalia. And people who looked at an official once a bit funny...
How do you model the unknown?
With an agile adversary that is what you are trying to do.
The TSA model apears to be "one size fits all" for pasengers and "be damed with the rest".
That unfortunaatly fails both ways.
A more sensible modle would be to look not for individual attack types but "classes of attack" and then try and mitigate those.
This is like "fire drills" they work not just for fire but bomb scares and earth quakes, and other emergancies that require the timely and orderly evacuation of a place that is believed to be unsafe to a place believed to be safe.
The IATA profiling plan Alan mentioned, and all data-based profiling, require the TSA to be able to identify people when they go through the security line. This will require a lot of infrastructure that probably isn't in place, and would almost certainly slow down security.
Which might be OK if it increased security. But I'm not sure more complex data-based profiling is very effective, no matter how intelligently designed the model. It's very easy to identify "odd" things about past attackers, but trying to come up with a model that includes ALL such attackers is significantly more complicated. And because there is reduced security on the lower threat groups, the model had better make sure attackers aren't shuffled into that group. And since there is little cost to probing the system to find out which group you fall into, any attackers able to become part of the "low threat" group are the ones most likely to carry out attacks.
The thing that trips people up about this, in my opinion, is that a lot of organizations DO successfully use this kind of threat modeling. Car insurance companies, for example, plug a bunch of data into a computer and assign you a value representing the chance you're going to get in an accident that requires them to pay out...and this number directly influences your rate. If State Farm can do that, why can't the TSA do something similar, or so the thinking goes.
Except we have thousands of car accidents each year, which represents a ton of data for insurance companies to use when building a profile. And the number of accidents relative to the number of drivers is large enough to create a profile in the first place. Terrorist attacks are too rare to provide enough data, and terrorists themselves are such a tiny fraction of the population that a "profile" centered around them will be so specific as to be useless. Even worse, nobody is trying to actively subvert the car insurance process...in other words, trying to get a low rate and then intentionally causing a bunch of accidents.
It's a popular idea, I'm just not sure it would actually work the way people think it should.
It strikes me as the best way to remove the threat is not to threaten other people.
If you read some of the late Chalmers Johnson's writing, specifically Blowback and Sorrows of Empire, you will see that by our actions as an empire, we have ourselves brought about much of the violence being visited upon us. Johnson was by no means a "bleeding heart," "blame America first" liberal but he saw the terrible effects we were having on the people of the world and the terrible reciprocal effects they would have on us.
You can trivially and directly link our meddling in Afghanistan in the late 1970s by Jimmy "Peace Prize" Carter and our overthrow of a duly elected government in Iran in the 1950s (at the behest of what was then the Anglo-Iranian Oil Company, now known as BP, mind you) to virtually all of the incidents and violence we're now experiencing.
Stop wasting American and other lives in foreign adventures and we'll be able to eventually stop wasting billions on ultimately ineffective "security" measures.
Chalmers Johnson brings up some good points that should be considered, but he does have a liberal viewpoint when it comes to foreign policy.
"You can trivially and directly link our meddling...to virtually all the incidents and violence we're now experiencing."
Doubtless the US has made some bad foreign policy decisions over the years that we've reaped the consequences for, but to say we're to blame for our enemy's violence is myopic.
The theory of "Be nice to them and they'll be nice to us" might be a good starting point when dealing with rational people, but it isn't a really good basis for all of your decisions. The last several thousand years of world history should spell that out pretty clearly.
I've always wondered about the TSA threat model that focuses on securing the plane. Every time I've been at an airport, the queuing for TSA checks and crowds in the 'service areas' often seem much more congested and high-risk than an individual plane. Has there ever been an article that covers scenarios of a bombing of an airport gate or runway area? It seems to me those are more likely and have as much potential for loss of life or injury and shutdown of transit services...
No need. Such attacks were already executed at airport lines back in the 70s and 80s. No idea why "they" have no returned to that tactic. Problem is if "they" return to that tactic, the TSA will move security out to the curb. Okay, attacks move out to the curb. TSA moves checks out to the airport perimeter, attacks move out to the airport perimeter. Eventually it gets reduced to the point of absurdity (not that it has not already), or "they" decide to attack ... oh ... railroads. (Which would be my next preference if I was "they", as rail cars could pack a hell of a wallop.) Or something else.
Indeed, the fact that such an attack has not occurred after the security measures were introduced only reinforces two things: 1) The risk is greatly exaggerated and 2) whatever it is they are doing, other than the public display of security at the airport, is very effective.
It is hard to imagine any other target that would instill as much fear in the general population at this point in time for the least amount of effort. The greatest bang for the buck, if I may be forgiven.
Thanks for the link, Bruce!
I wanted to respond to Clive's question of "How do you model the unknown?" because it's a common one, and it's the wrong question. What we should ask is "what do we know about" and "is modeling that enough?"
In the case of airports, we know we have passengers, who are often crowded into airplanes, but as Dreamline and Kingsnake discuss, are sometimes crowded elsewhere.
So it would appear that if we focus our modeling on passengers and threats to them, we'll do better than wondering about the modeling of the unknown.
"It is hard to imagine any other target that would instill as much fear in the general population at this point in time for the least amount of effort. The greatest bang for the buck, if I may be forgiven."
No. A higher "return" would be more like the "DC sniper". Almost no initial investment and with the right planning (picking positions ahead of time and some kind of disguises) it would be possible to continue for months.
All of this discussion of thread modeling assumes that the real goal is not already being accomplished:
"right now, we have more of a slow burning destruction of the privacy and dignity of the traveling public. We have massive contraction of the air travel industry. We have the public withdrawing from using regional air travel because of the bother."
Perhaps this IS the intended result.
Despite the "Movie Plot Threats" that some of the dreamers engaged by the TSA (or ideas stolen from this blog), the comment that "Generals expect to fight the next war as if it was the last war" (can you pronounce "Maginot Line"? I knew you could!) it can be argued that the TSA always prepares to counter the last threat.
I sometimes think that the biggest problem with terrorism is that we take the terrorists *seriously* (well, our news organizations, in their efforts to collect dollars, provide terrorists the pulpit to sell fear... and the pulpit-owners some dollars... by taking them seriously) instead of using them as an object of derision.
The 9/11 strikes were, until the news media went onto a continuous feed, economic flea-bites. It was only the fear and panic being generated by the various "new" entities that triggered what I see as anaphylactic shock.
It does not help that the bail-outs were a complete f**k-up and that "patriotic stock-holding" was a way to cheat people while the mutual funds and the like bailed out due to "fiduciary responsibility".
It does not help that subsequent security measures are just so much bullsh!t and *don't* deal with the problem.
Hell, it doesn't help that the idiots at DHS and TSA don't even understand *what* the PROBLEM is.
The problem, to me, is simple: How do you deal with security challenges in what purported itself to be a "free" society without changing the nature of the society?
What measures can we take that give *us* the initiative rather than placing ourselves (as the DHS and TSA have) on the defensive? Doesn't *anybody* read Sun Tzu?
@historian ". . . but to say we're to blame for our enemy's violence is myopic."
I would suggest that this is begging the question.
I don't question the violence of our enemies but had we not mucked with their governments and lives in the first place, would we have them as enemies in the first place.
I recognize that the world is and always has been a rather unruly place, to say the least, but our meddling has made it far more unruly, all to our own detriment.
I certainly do not suggest we disarm and I further recognize that a nation must be prepared to defend itself and should take appropriate security measures to prevent madmen and fools from wreaking havoc.
That's why our cities, counties, and states have police officers, because we recognize that some people are just plain jerks. But our police forces don't invade other jurisdictions or undermine their lawfully constituted authorities.
Would we at war with what is rapidly becoming a third of the world if we had tried to be, as you put it, "Be nice to them and they'll be nice to us?"
I somehow doubt it.
By the way, @historian, I'd tend to beg to differ with your characterization of Chalmers Johnson as a "liberal" on foreign policy. It's only "liberal" if you accept the artificially simplistic bipolar political world as portrayed on cable news, where if one party says "Up", the other automatically shouts "Down!"
In my opinion (and you are welcome to differ), not engaging in wasteful empire building and futile wars is not a "liberal" notion. I thought conservatives were supposed to be against wasting money on pointless causes.
Focusing on securing the plane is different from focus on securing the 'service areas', even if we granted your proposition that they each contained equal numbers of peoples.
First, the focus on securing the plane is because the plane can be repurposed into a weapon that has high kinetic energy that substantially threatens various sorts of targets/facilities in ways they are fairly otherwise undefended against.
Second, a terrorist blowing up a plane also creates a different set of psychological fears than a terrorist blowing up people on the ground in a line at an airport. While this may not be a rational distinction if equal numbers of people are killed either way, it may be a valid psychological difference in reality that affects the threat model, consequences, and resource allocation.
I have no idea if the latter has been scientifically tested or, or if either reason is actually why TSA does things the way they do.
Lay off the TSA, stop all of the screening, and see how many planes get brought down in January. If the number is zero, the TSA can safely be fired.
The TSA chief, when faced with fourth amendment concerns in the interview tried to indicate there was a "difference between what most people think of in terms of a reasonable search-and-seizure for purposes of law enforcement, versus a public-safety administrative search. I don't know if people [critics] are drawing that distinction, either, from a legal standpoint or a practical application."
While at first this is an interesting distinction, I am skeptical this distinction in practice is anything more than a rhetorical one.
For example, does the TSA itself make this distinction? If I have drugs in my bag, or loads of cash or whatever, does law enforcement get involved? If so, then is this really just a "public safety" search to protect the plane? Not really; then the argument is just a red herring.
The issue at hand is really trivial, and we are all familiar with it. When faced with a breach, people tend to try and boult security upon existing systems instead of carefully redesigning them, analysing risks and threats, building security controls into every layer of the system. It is very much reminiscent of the historical network perimeter approach where administrators confronted with a breach spent a lot of money on an expensive Checkpoint firewall and IDS, left them in their default configuration, blocking legitimate traffic in the process, generating enormous amounts of false positives and in no time becoming a general nuisance to most network users. But at least everybody had a (false) feeling of security.
What TSA is doing is pretty much the same. Let's consider every traveller a possible suspect and throw as much stuff at the wall as budget permits, then see what sticks. But just as most (Windows) users know too, sometimes it is just way more efficient to reinstall your system from scratch - and in a smarter way - than trying to keep a buggy/compromised one running, dooming yourself to keep running behind the facts.
The main problem organisations like TSA face are not the terrorists, but the hands that feed them. These demand fast and visible countermeasures, even when these are evasive, inefficient or reactive only. The cost at which they come really doesn't matter as long as you can convince/fool a majority of people to buy into them. Anyone who has ever worked at a software or hardware vendor knows only too well the constant pressure by marketing and management on product engineering to release new stuff even when it is just not market-ready.
In due time, TSA may get their act together or not. They may continue down the beaten track adding stuff on top of what's already there at every new event, or become smarter overtime replacing useless and invasive controls by a smarter and more efficient approach.
"As long as the President is asking "Is this effective against the kind of threat that we saw in the Christmas Day bombing?" we'll know that the right threat models aren't making it to the top."
Sure, that makes sense, the only good threat model is one that wouldnt match up with previous actual incidents.. lol
Re: attacks on checkin lines.
Done. Simultaneously in Rome and Vienna, mid-80's. An Abu Nidal operation, IIRC.
Yes, security was moved out to the curb. BUT, here's the catch: at the checkin, at the curb, at the a/p perimeter, is all OUTSIDE the magnetometers.
If you have guns, bombs, fanatics outside the magnetometers and inside the US, you have a huge wealth of targets: shopping malls, Times Square, municipal Xmas trees, sporting events, you name it.
So why go through the risk and bother of trying to get your "bad stuff" through a/p security, when you can just attack other, mostly unprotected, stuff?
Foreign terrorists, trying to attack US targets, have to fly here with their weapons. They do have to get through the security checkpoint, and the airline is their first major target they encounter after the checkpoing. So of course you get shoe/underware/luggage bombers.
That's not true for terrorists already inside the US. They don't need to go through a/p security to attack targets, so they won't. That is why all of the porn-scanners etc just make no sense for flights that originate in the US. Plain old magnetometers with some random bomb-sniffing dogs or explosives swab testing is enough to move the threat to somewhere else.
But, of course, the only place that TSA has power to run security is US-origin flights, so that's what they crack down on. Also, TSA is not looking at the "big picture" of threats outside of airports, where it's almost impossible to systematically reduce them.
Overall, it *may* be better to reduce the "obvious" (porn scanners) a/p security, but ramp up the "covert" (intel, behavoral modeling) security, to get terrorists to a well defined location where resources can be concentrated. Yeah, a "honeytrap" model, with all its problems.
Every terrorist attack inside the US, foiled or successful, that does not occur in connection with an airport, demonstrates that DHS/TSA is doing it wrong.
It's an and-and relation, not an and-or. The president is unlikely to be a subject matter expert, therefor not necessarily asking all the right questions. That's what he's got advisors for. If the answer to his question is just a plain "yes", and none of his advisors asking other questions or questioning ramifications, he's just being deceived the same way the general public is.
Bureaucratic perspective: The TSA is supposed to eliminate security threats. Passengers are a security threat. It's very easy to view passengers as the obstruction to overcome, the problem, rather than the reason the TSA exists in the first place. To the bureaucratic machine, people/citizens do not count. The mission is of primary importance: Secure the airport. The TSA's job will be done when there are no more passengers.
no, terrorists do not have to fly here. Check the borders with Canada and Mexico.
Also, since so much is available in the US (not the OK City bomber bought all his goods in the US), they could fly in and purchase/acquire the weapons here.
"Check the borders with Canada and Mexico."
While technically correct, it misses the real point.
The real point is that there just are not that many terrorists who can operate in the USofA without attracting attention PRIOR to their attack.
How easy would it be for you to infiltrated Iran and carry out an attack on a police station? Do you know what a police uniform looks like? Can you tell the difference between a rent-a-cop and a real cop? Would you be able to rent/steal a vehicle?
So most terrorists will only be able to attack the most obvious targets. Which are the aircraft that they're traveling in on.
W/r/t check-in lines (ad infinitum)...
Check-In lines are one-acts; there's little additional leverage since it is a "finely focused" attack and making enough of an impression across the country (in order to make it "look big") is costly and doesn't scale well.
Consider: the 9/11 attacks on the WTC scaled exceptionally well since there was a wealth of cameras available for the 2nd act. If Bedloe Island had been struck, there wasn't much of a 2nd strike that'd make it look that much more serious.
Unless you are (or become) allergic to flea bites they are no more than an annoyance... and, really, the immediate damage of 9/11 *was* a flea-bite... until the fear and panic amplified by the purveyors of "news" ensured that, once the markets re-opened, that the collateral economic damage would be magnified all out of proportion.
The key commonality in all of the 9/11 attacks was that the airliners had fuel tanks for a long haul non-stop so the strikes were actually meant to deliver fuel to ensure a conflagration. (Anyone recall the tail end of Clancy's "Debt of Honor"?)
If the TSA told airlines they could only fly, say, 500 miles in a hop, while screening was greatly relaxed, there'd be insufficient fuel for flights not crossing an ocean... and, so, focus the screening on the planes that carry enough fuel to be a threat if not under "lawful control".
Yeah, that's a change, but the real weapon-- fuel-- and its delivery mechanism-- a jet plane-- are harder to come by and the airlines will probably like that non-stop flights are no longer available, allowing better "yield management" through hubs.
"allowing better "yield management" through hubs"
I would reduce the size of the bomb, true (not sure by how much though). but the cost would be catastrophic in terms of inconvenience to passengers and subsequent $$loss to the airlines. We cant drive them out of business..
Ummm... inconvenience to the passengers? Yes, eliminating coast-to-coast non-stops are one hellacious inconvenience BUT IT DOESN'T SET A PRECEDENCE for supralegal searches.
One is a technological inconvenience (and I could see it as a way the government could breathe life into AMTRAK... yes, you may laugh, that was an off-the-wall tangent done for laughs) while the other is a societal and cultural *change* that reduces our comfort with authority figures in general.
As for a $ loss for the airlines, the practice of requiring photo ID and boarding passes was done to boost their profits already so they'll just have to take their lumps.
And, yeah, shortening the range of any flight merely reduces the value of each flight as an incendiary device since most of the fuel was burned to get to altitude and the plane almost glides the rest of the way (all right, so it doesn't, but it sounds funnier this way) and allows the airlines to pack 'em full between hubs (what has been called as "yield management") which has done wonders for their profitability.
There *are* other impacts... like cross-oceanic flights are unlikely to fly over a lot of country to get to O'Hare (which might not be that terrible a thing).
Don't forget that terrorism uses denial value... and, admittedly, without the incendiary weapon that a fully fuelled aircraft is, will have to find other ways to deny us a feeling of security.
Another issue with this security theatre is that it looks to the wrong direction for potential "evildoers"...the direction here being the one indicated by the U.S. government, which, according to Gov Jesse Ventura, Architects for 9-11, and some other sources is plain wrong.
GORDON DUFF: GOV. JESSE VENTURA PROVES 9/11 COVER-UP, WILL AMERICA’S GOVERNMENT FALL?
TV host, Jesse Ventura, former Navy Seal, former Governor of Minnesota, on a one hour documentary on prime-time American television, makes an open and shut criminal case tying Cheney, Rumsfeld and officials throughout the US government with complicity in the planning, execution and subsequent cover-up of the 9/11 attack on the Pentagon.
9/11 is an inside job.. LOL
Bruce, you have quite a following of rational folk.. Ever wonder why?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.