Schneier on Security
A blog covering security and security technology.
« Me on Color-Coded Terrorist Threat Levels |
| Hacking HTTP Status Codes »
February 2, 2011
Kip Hawley Comments on the Domodedovo Airport Bombing
This is the first piece of writing I've seen from Kip Hawley since he left the TSA in 2009. It's mostly generalities and platitudes.
Posted on February 2, 2011 at 6:42 AM
• 18 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"To foil endlessly resourceful terrorists"
This strikes me as an oxymoron. If they are infinitely resourceful then they can't be foiled.
What he means to say is "to actually have an effect against terrorists who are seemingly endlessly defeating our inadequent and misdirected efforts", shurely?
"If they are infinitely resourceful then they can't be foiled."
* Without stopping those pesky 'potential terrorists' otherwise known as 'passengers' for the rest of time. Which I'm sure the TSA have on the table as a possible solution.
"This is the first piece of writing I've seen from Kip Hawley since he left the TSA in 2009. It's mostly generalities and platitudes"
The honest question would be "what do you expect?"
Most people that have looked into the issue of not just the TSA (but the DHS as well) in any depth and with an open mind would probably conclude on balance that the US response to 9/11 is at best a busted flush.
It could be argued (and some will) that the US response with the TSA is "effective security", however with the best will in the world you still have to ask about the context the response is in.
The point is that currently the context in the US is such that the terrorist threat is at best minimal.
There are a number of reasons why this might be so, but they are not directly relevant to the argument.
What is however a little more relavent is if the context will change in the near future?
If not then the only sensible action would be for the US to step away from it's current level of ineffective "visable" security behaviour as it is a waste of resources (the recent "visable" Russian response is in my 20,000ft view the correct one).
Now if you accept the above argument of "current context" and "future context" you have to ask why Kip has been fairly quiet and at best banal in this current writing.
Perhaps one simple argument is "self interest", another is "loss of interest" or "become jaded with the issue".
To decide this you would have to examine what Kip has been upto since leaving the TSA, and who Kip has been associating with "proffesionaly" and what Kip's source of income currently and in the near future are?
Kip might be deciding on a "political career" in which case the question of "keeping the powder dry" and "not going off half cocked" or "not rocking the boat" may well be a driver.
It is not an area I have looked into but as has been noted many many times "follow the money" if you want to see what the motivation might be.
It strikes me that virtually all comments on the bombing deal with perimeter or airport security - including Kip Hawley's comment. In my view, to prevent this type of attack intelligence and root cause prevention play a major role.
Of course a risk-based approach to secure a location is helpful, but it is only a small part of the story.
And we should not aim for 100% security, that would simply not be cost-effective.
Operations Director Global Public Security
"TSA, the airports, airlines, law enforcement, vendors and, yes, the traveling public all share responsibility for our security outcomes. "
So, if we don't want our stuff touched, it's our fault if there is a terrorist incident?
"But it was all right, everything was all right, the struggle was finished. He had won the victory over himself. He loved Big Brother."
Attempting to exploit a tragedy to advance a particular viewpoint requiring an endless expansion of security measures could remind one of Benjamin Franklin's comment "Those who desire to give up freedom in order to gain security will not have, nor do they deserve, either one".
What's needed perhaps isn't still more security measures, but rather better security measures. Meanwhile we have drones in Airports groping grandma, your kids, and confiscating bottled water in a showing of security theater, while threatening people for doing legal things.
Hawley is right about this sentence: "But security that depends on an auditable checklist of written requirements is always going to be vulnerable to an enemy that can change the method of attack based on those regulations...A corollary vulnerability is that no government can issue regulations quickly enough to cover every conceivable angle of attack. Therefore, if compliance with set rules is our system, it is a system born to fail."
This is exactly what ex-SEAL Richard Marcinko wrote about security following "checklists" while terrorists don't. He said his Red Cell team would watch security perform their check, then his team would move in, confident that what was checked once would not be checked again any time soon.
In addition, there are an effectively infinite number of attack vectors that depend solely on the imagination of the attacker. It's not a case of "find the vulnerabilities" because everything, properly used by a terrorist, is a vulnerability.
Where Hawley is wrong is in the following: "First, we need multiple layers of security deployed throughout the airport that are changing regularly and, to outsiders, seem unpredictable. Layers such as K-9 teams, random inspections and behavior detection agents, by their very randomness, prevent terrorists from identifying a security gap and exploiting it."
This is completely wrong. It works only against "the riffraff". A professional like Marcinko is not an "outsider" - he is an "insider" who watches and will detect a randomly changing security check. And no security check is ever really "random" - humans don't work like that. There are security shift changeovers, and no one can be everywhere at once.
Hawley is talking about putting security in the "backside" and public areas of the airport. That doesn't change the security profile, merely the perimeter. Terrorists can sit outside that perimeter and drop mortar shells and rockets on any airport in this country. They can drive up within four miles of the flight line and drop a plane with a Stinger missile on takeoff or landing (and yes, the Afghan Stinger missile batteries still work - if not, just buy or steal one from current inventory in this country or another).
They can infiltrate as airport or airline staff or even passengers and plant explosives at any time anywhere in the airport which cannot be detected. If an explosive is wrapped right, no bomb-sniffing dog or device is going to detect it. Just waltz in as a passenger with a nice heavy bag, stash it somewhere for the minute it takes you to waltz out, then trigger it. You don't need a big blast and a lot of bodies - ANY blast with ANY bodies will close down the airport. Do it at two or more airports in the country and the whole country shuts down.
In five minutes off the top of my head I've defeated their entire range of security options right here right now.
Back in the 80's I came up with enough options to bring this country to its knees within a few months if implemented by a few dozen men with a relatively small arsenal of suppressed handguns, automatic weapons, sniper rifles, grenades, C-4, poison, and common tools. The target list is in the hundreds of thousands, if not millions.
I will repeat: There is no security.
Thank you, thank you, I'm here most evenings. No applausa, please, savea 'til the end.
- and please don't call him Shirley.
(which is about the level of both his comments and the approach to Airplane! security in general)
(My apologies to non-American readers for whom the reference may not be familiar)
@ Clive: "Kip might be deciding on a "political career" in which case the question of "keeping the powder dry" and "not going off half cocked" or "not rocking the boat" may well be a driver."
Recent US election results would indicate the voting public prefers those that campaign on half-cocked platforms.
Harumph harumph harumph
Yup, 9/11 was a bad day for Hawley to quit cigarettes.
And it was a bad day for him to stop drinking.
And it was a bad day for him to give up amphetamines.
And it was a bad day for him to give up crack.
I expect someone who is held up as an expert (by the gov't, at least) to reveal their expertise. If Kip is doing that here, his expertise is not in security, but bureaucracy. Maybe that's the next natural stage after "security through obscurity."
@EH "expertise is not in security, but bureaucracy. "
let's look at his resume
BA at Brown U (in what? Kip! Would you please update your wikipedia page?)
1980 JD UVa Law
Deputy Assistant Secretary and Executive Director of Governmental Affairs for the Department of Transportation
Deputy Assistant and Special Assistant to President
1992 Commission on Intermodal Transportation
Vice President at Union Pacific Railroad
CEO of Skyway
Executive Vice President of Arzoon
Air Traffic Services Subcommittee of the Federal Aviation Administration.
DoT Go-Team to establish TSA
2005-09 Administrator TSA
Now does THAT look like the expertise of a bureaucrat? I ask you.
What I've found in watching different levels of organizations communicate with themselves and between each other is there is an ENORMOUS drop in detail from the infrastructure/operations to the strategic levels. And between themselves the strategic levels still talk
to each others as representatives of all that lower level detail (presumedly on the notion that someone somewhere can answer a specific if some is so rude as to ask for one.)
I believe this is why specialists, not just security, never feel they are communicating in enough detail for thier
leadership to make informed decisions.
But that same level of leaderships (SES, GS-15, O-10s, VPs, BoD members) value is just that they are generalists and that they can hire the specialist help the need as needed.
The fuller version shows it's intent more fully:
"To foil endlessly resourceful terrorists... we need endless resources."
Government bodies, like banks, are inherently greedy.
@ Nico Kaptein
"In my view, to prevent this type of attack intelligence and root cause prevention play a major role."
Which is exactly what Bruce and a lot of other folks here have been telling all along. The entire article is nothing more than kicking in open doors. Notoriously missing (again) is profiling and differentiation of controls/methods depending on previously observed MO of terrorist organisations known or likely to strike in specific regions of the world.
This attack illustrates a point that Bruce has been saying for years. If you make people go through a security checkpoint, then it's only a matter of time before someone works out that you don't actually need to go through the checkpoint to cause mayhem. All you need to do is set off a bomb in the middle of the queue.
The Brains of TSA
12/21/08 - Econlog.Econlib.org by David Henderson
When Charley and I tell a story of poor thinking, we almost never name the person, but here I'll make an exception. This high-level manager was Kip Hawley, head of the Transportation Security Administration (TSA). [See why, search for "I volunteered" at the link]
It would proable be a good idea to remove most of the security measures at the airports, and have myffty cops seating have coffe. If you block all the level 1 threats they will go to 2+(more damage,more/less risk)
One country might have 1 ever 2 years, 400 max die(1), artellery rounds hitting 4 planes on the ground loaded,1600(2)
@dbCooper: "Recent US election results would indicate the voting public prefers those that campaign on half-cocked platforms."
I don't think so. Most modern elections aren't the result of voters supporting their options so much as a rejection of the alternatives.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..