Schneier on Security
A blog covering security and security technology.
« "Operation Pumpkin" |
| Extreme Authentication »
May 5, 2011
Bin Laden's Death Causes Spike in Suspicious Package Reports
It's not that the risk is greater, it's that the fear is greater. Data from New York:
There were 10,566 reports of suspicious objects across the five boroughs in 2010. So far this year, the total was 2,775 as of Tuesday compared with 2,477 through the same period last year.
The daily totals typically spike when terrorist plot makes headlines here or overseas, NYPD spokesman Paul Browne said Tuesday. The false alarms themselves sometimes get break-in cable news coverage or feed chatter online, fueling further fright.
On Monday, with news of the dramatic military raid of bin Laden's Pakistani lair at full throttle, there were 62 reports of suspicious packages. The previous Monday, the 24-hour total was 18. All were deemed non-threats.
Despite all the false alarms, the New York Police Department still wants to hear them:
"We anticipate that with increased public vigilance comes an increase in false alarms for suspicious packages," Kelly said at the Monday news conference. "This typically happens at times of heightened awareness. But we don't want to discourage the public. If you see something, say something."
That slogan, oddly enough, is owned by New York's transit authority.
I have a different opinion: "If you ask amateurs to act as front-line security personnel, you shouldn't be surprised when you get amateur security."
People have always come forward to tell the police when they see something genuinely suspicious, and should continue to do so. But encouraging people to raise an alarm every time they're spooked only squanders our security resources and makes no one safer.
"Refuse to be terrorized," people.
Posted on May 5, 2011 at 6:43 AM
• 41 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I love the title from the linked article; "NYC Seeks Spike in Suspicious Packages Reports After Osama Death"
Seeks? Really? Perhaps "sees" was the intended language?
But if you refuse to be terrorized, the terrorists win!
"refuse to be terrorized"
Well said. If we want security we should get professional security, not the ranting madness of the general public.
I am also looking forward to the legal action from NYTA over NYPD's use of their phrase....
"If You See Something, Say Something"
What does "owning" this slogan mean? Nobody else is allowed to use it? That seems really STUPID! What's wrong with these people?
I'm a little confused by this. Here you say that amateur security personnel provide poor results (in the form of false positives). But haven't you said that the two things that make air travel safer is the locked cockpit doors and greater passenger awareness? So which is it, are amateurs good for security or not?
@devin: good observation
@bruce: "If you ask amateurs to act as front-line security personnel, you shouldn't be surprised when you get amateur security."
"refuse to be terrorized"
There's a few logic problems here:
1. No one is asking johnQ to become a security person. Authorities are merely asking people to report something if they feel it is suspicious. Yes, in so doing, there will be greater false positives and professional security folks will spend more time running them down, however, they have made a judgment call (which is theirs to make) that potential gain outweighs the work.
2. You are confusing "refuse to be terrorized" with "refuse to be hysterical".
There is a risk, JohnQ shouldnt get hysterical about it, but terrorists exist (that's a fact by the way).
Ignoring a problem doesnt make it go away ;-)
@COMSEC: "they have made a judgment call (which is theirs to make) that potential gain outweighs the work."
The potential gain is only in covering their own asses, not in actual security. Time wasted tracking down thousands of false positives is time not spent on achieving real security.
Following on from what Alan Kaminsky said:
If it takes 10 minutes to review a bit of information and decide if it is worth investigating or not (which is actually very little time) those 62 reports alone tied up 10 man-hours of investigators time. That means two people were only employed to review the garbage coming in rather than actually investigating.
When you add in the reality that no Law Enforcement person is going to take the career risk of ignoring the report of a dodgy carrier bag, you can see that 62 false positives become a massive churn on investigative resources.
Even in the US, resources are limited. No agency has unlimited manpower so asking for people to report strange things is a risky gambit. Apart from anything else it opens the door wide open to 10 pence terrorism.
It would actually be a better use of Law Enforcement resources to deploy extra trained officers on the ground rather than sift through garbage intelligence in the hope of getting a gem. For some bizarre reason this
(pressed send by mistake)
For some bizarre reason this gets sidelined so that departments can "cut costs" - when in reality they are spending more.
I dont think you are comparing like for like here.
I dont recall Bruce having said that getting passengers to report suspicious packages was a good thing. ISTR it was that having security aware passengers meant that the person setting light to their underwear would get challenged.
Did I miss something in one of his posts?
quite often, to untrained people that dont work in law enforcement or security (like you two and myself for that matter) it might seem a waste of time to have the public submit anything that they think might have some security relevance.
The problem with your logic, is that implicitly, you are assuming that you know how to do law enforcements job better than they do.
They (LE) have made a judgment call that it's worth while, the intelligence gain outweighs the manpower to sift thru it.
You (amateur) are saying it isnt worth while and they shouldnt pursue it.
Which is the inherent contradiction in your argument (namely that untrained security professionals should keep their amateur observations to themselves)
A car breaks down in the middle of a crossroad. Driver fails to get it started.
50% of bystanders remains idle and just watches the scene. Some folks with zero knowledge of cars get under the hood trying to find out what the problem is. About a dozen call the police, towing or road assistance services. All it amounts to is a serious traffic jam.
The only thing it takes to resolve the situation is three clear-thinking folks to push the car aside or give it enough momentum to maybe start again.
In Vancouver, our Transit system has the motto of "Report the suspicious, not the strange."
Perhaps NYPD should look into it.
"They (LE) have made a judgment call that it's worth while, the intelligence gain outweighs the manpower to sift thru it."
Often this is not the case.Most public involvement campaigns come from LE PR departments or from public officials who are subject to re-election requirements.
The intelligence gain never outweighs the manpower requirements to sift through it - this is a simple bit of mathematics. If it takes 60 all of their working day to sift through false positives, that is 60 people BETTER deployed on the ground gathering real intelligence.
The problem with farming things out to the public, is that the public have a massive tendency to get things wrong and make assumptions on others based on themselves.
That said, you now appear to be arguing that having an opinion on the activities of a publicly funded service is wrong and that we shouldnt be in a position to challenge the decisions and assumptions made by those who are sworn to protect us because they have secret knowledge we can never aspire to knowing. This is simply wrong.
But keeping in that vein, I feel at liberty to insult your knowledge and background, safe in my own knowledge that you feel no one should ever disagree with someone else's judgement calls.
My judgement call is that you are just trolling and have nothing of value to add.
You're comparing apples and oranges. In the case of airline passengers, they are on the plane. If it gets hijacked, everyone on the plane is going to know it. Airline travel is safer now because before 9/11, under those circumstances the passengers used to sit quietly and do nothing. Now they are all going to tackle the bad guys and beat them senseless, even if they risk getting shot in the process.
That's a very different situation from asking everybody who notices some shifty-looking stranger hovering around a storefront, or who notices a bag or package that looks out of place, to report it to the police.
The thing is that most civilians are not trained on how to recognize "hinky" behaviour the way police officers and other professionals are. So most of what they report is going to be false alarms. Since there are way more civilians around than police and other security responders, its very easy for the civilians to swamp them with false alarms. If we encourage amateurs to report everything "suspicious", the result is going to be that the actual professionals will waste a lot of their time investigating these reports (of which at least 999 out of 1000 will be false alarms).
"[...] only squanders our security resources"
Yea, and "only" wastes millions in taxpayer $$.
Refuse to be spellchecked!
You know what they say about assumptions. You are assuming that GreenSquirrel and Alan don't work in security or law enforcement. Is this assumption based on anything? A security professional or cop might have more credibility, but for the sake of courtesy, please keep the debates merit based. ke=mv^2 isn't true because your physics professor said so, its true because thats how the universe is. Credibility != fact or truth. Attacking peoples credibility based on an assumption isn't productive to the discussion.
"I'm a little confused by this. Here you say that amateur security personnel provide poor results (in the form of false positives). But haven't you said that the two things that make air travel safer is the locked cockpit doors and greater passenger awareness? So which is it, are amateurs good for security or not?"
Passengers didn't have to be told that they needed to fight back; they figured it out on their own. The Times Square street vendor didn't need a slogan to alert the police about a smoke-belching SUV, either.
In general, people will do a pretty good job of figuring it out on their own. If, however, you prompt people to report everything suspicious, then you're going to get all the false alarms we've been seeing.
I haven't said it this way before, but there's a learned helplessness in "if you see something, say something" versus taking care of your own security in the event of a hijacking. And it's the learned helplessness that's bad.
Perhaps that's worth an essay in itself. I know that Frank Fuerdi has written about security and learned helplessness.
Somewhat relevant ... when I send out an email to my users that there will be some work on the servers / network over the weekend I know that on Monday I will see a flood of complaints about "problems" ... even if nothing changed (the parts that arrived were incorrect).
Day to day, people will report suspicious events.
If you CHANGE the day to day (by telling people to be alert) then you change the definition of "normal events" for them. Which results in reports about what people perceive as possibly suspicious based upon their perception of your request.
Point taken and apologies to have offended anyone.
"In general, people will do a pretty good job of figuring it out on their own. If, however, you prompt people to report everything suspicious, then you're going to get all the false alarms we've been seeing.
I haven't said it this way before, but there's a learned helplessness in "if you see something, say something" versus taking care of your own security in the event of a hijacking. And it's the learned helplessness that's bad"
I could see that if in fact there is a distinction between the two (people doing well figuring it out vs people doing poorly reporting something suspicious), it would indicate that your position on public action is consistent between hijacking and reporting "suspicious packets".
honestly I'm not sure I see a difference, the "hijacking" that people are reacting to could be something completely innocuous, and the package that people dont react to could be a real danger. After the fact it's easy to disect the situation and determine what was real and not, but in the moment it isnt quite as easy for the average citizen.
If, in general, "we" wait until we know for positive that the threat is real, we have basically abandoned prevention in favor or response?
but, it's a good point, I'll think on it :-)
"If you ask amateurs to act as front-line security personnel, you shouldn't be surprised when you get amateur security."
This is one of my favorite quotes. I use it all the time at work since we started a "See Something Say Something" program there about a year ago. 10,000 employees in a place with a huge amount of public access. It's a nightmare especially since they won't give us the personnel to check on all the false positives.
@COMSEC, "we have basically abandoned prevention in favor or response?"
Anyone please correct me if I'm misremembering but, I believe Bruce has said multiple times that response is far more important than prevention because anything you do to improve response helps in far more situations than anything you do to prevent.
Increase security at stadium A? Bombers go after stadium B or tunnel C or school D instead, resulting in very little difference overall.
Improve emergency response (fire, medical, and police) and you're more likely to reduce collateral damage, reduce casualties, and catch the culprits whether they attack stadium A, B, tunnel C or school D.
That is not to say that prior investigation should be ignored, just that it should be focused on real leads rather than untrained hunches.
Also, every time I see or hear an "if you see anything suspicious, call [police]" message I'm tempted to call myself in because I'm weird and usually look out of the ordinary.
Here in Los Angeles the MTA has asked
passengers to report immediately
"anything that doesn't seem to fit"
or "anything suspicious",
and "anything unusual".
"ke=mv^2 isn't true because your physics professor said so, its true because thats how the universe is."
ke=mv^2 is not true.
your right man that is our universe
I feel a tad embarrassed. You are correct it isn't true. I forgot the one half.
"There were 10,566 reports of suspicious objects across the five boroughs in 2010."
How many were reported in 2000?
A cheap saying, Take a knife to war instead of a gun, your think better
Comsec: "The problem with your logic, is that implicitly, you are assuming that you know how to do law enforcements job better than they do."
Well, the problem with YOUR logic is that it's already been established that we do.
"the "hijacking" that people are reacting to could be something completely innocuous"
Bruce is not talking about all the times passengers have complained about someone wearing a turban on a plane. He knows full well this is precisely the problem of false positives.
He's talking about the difference between hijackers resisting a clearly armed takeover over a plane and people reporting random objects all over the place.
Also, there is no "abandonment of prevention". Instead of wasting efforts on preventing terrorist acts (allegedly) already in operation by responding to meaningless suspicions, expend those resources preventing the terrorists from INITIATING ANY operations.
As I've said before, there is no security. The only way to deal with terrorism is to either find and incarcerate or kill the terrorists or change one's policies so one is no longer a terrorist target. The latter once again could be done overnight here in the US and remove the US from the sights of most of the international terrorist groups (if not the home grown political variety.) This would be infinitely more effective and cheaper than any "War on Terror" expending hundreds of billions to achieve nothing but more terror and less civil rights.
"If you see something, say something" is little more than trying to produce a nation of paranoid snitches a la Eastern Germany.
I like the analogy there. It seems over the last decade, the majority of government led initiatives - on both sides of the Atlantic - have tried to emulate 1970s East Germany.
@RSH, Re: Change policy to avoid terrorism
I'm not sure that would work entirely as you guess it would. There would, no doubt, be allies (such as Israel) who would be quite upset with us if we majorly changed foreign policy. The groups, both terrorist and state, who oppose the US worldwide would declare this a "win" for their policies, bolstering their strength and resolve. There will still be extremist groups who still wish "for revenge" or "to punish" the US for past wrongs. Not to mention whether a "retreat" by the US would hurt our country's morale internally, possibly affecting the economy for the worse.
The cost/benefit analysis would have to take into account all of that. Here, I think erring on the side of "the devil you know" may be safer in, at least, the short term. (If we were more economically stable it may be worth it to do a quick turn-around.)
For example, for Iraq, I think the best withdrawal policy would be to first establish our willingness to put in place a permanent military presence regardless of the outcome /then/ to /choose/ not to. As it stands if we stay we're staying because /we have to finish a job/ and if we leave we're leaving because /we can't stand the cost of war./ Neither of those look good for us.
No One: "There would, no doubt, be allies (such as Israel) who would be quite upset with us if we majorly changed foreign policy."
Since Israel and its treatment of the Palestinians is one MAJOR reason the Muslim world dislikes the US, I'd say that's the BEST thing we could achieve by changing our policies. In fact, abandoning Israel in the UN, stop selling them arms, and start trying to get them back to the 1967 borders (if not the 1947 borders) would almost completely reverse our standing in the Middle East and elsewhere.
Add to that the abandonment of Saudi Arabia and add support (if only by removing arms sales) for the Arab street against the corrupt monarchies and dictatorships, and the Arab world would come to regard the US with pleasure.
There may be a few extremist groups who would continue to dislike us, but their numbers would be reduced considerably.
As for Iraq, if the US military remains - as Obama is pushing the Iraqi government to accept - it is likely the Maliki government will fall and the Sadrists and Sunni resistance groups will resume the insurgency against us. For what? So we can get some PR value out of staying? So we can try to use Iraq as a staging ground to attack Iran?
I second the idea that "refuse to be terrorized" does not equate to "don't report suspicious packages". You're implying a false connection, namely that if you report a package you must be terrorized. But, this is simply not true. You can not be terrorized but also report suspcious things.
"Hey, that packages beside me on the train looks out of place. [Notifies train security, then sits down in the same place anyway.] Duh?
@ Richard Steven Hack
You present yourself as being knowledgeable about the Palestinian-Israeli conflict when the reality is that in my opinion you are showcasing yourself as an example why your thesis wouldn't work. Is your opinion of the conflict there based on extensive research, or on what you see on the 11 o'clock news? Have you traveled to the area and extensively interviewed people on both sides?
My guess is that your opinion of the conflict is largely generated by your own personal ideals compounded with your believing media sources which agree with those ideals. Even if the US were to try to change its image in the Arab world, it is likely it would not succeed, since it is too useful as a scapegoat for generating political support.
Xenophobia is an entrenched human instinct and one has to work hard to moderate it. Most people don't bother, and politicians have learned how to take advantage of that.
I think part of the problem is that people *do* report suspicious or strange things.
If you sat next to a ticking parcel on the train, you *would* report it without a sign telling you to do so.
The effect of the signs is that people's filters change so that insignificant things become important and therefore reported. If you keep reminding people about the scary bogeyman, they will jump at their own shadows.
By pushing a sign telling people to do something they were going to do anyway, it only adds to the effect of terrorism on people's behaviour.
Its a terrorist win.
@RonK / RSH
I think that, for many reasons, nothing the US does will improve its image in the middle east for several generations now. The hatred and political / religious lies that are spread are so heavily ingrained in the relevant cultures that any change will need to be grown through.
That said, this isnt for one second an agreement that *continuing* to do the wrong thing is acceptable. Simply saying "they hate us anyway" isnt an excuse to continue with the behaviour that alienates and feeds this hatred.
Sadly, most people and certainly politicians are too short-focused to ever adopt a policy of doing things that will reap dividends in 150 years.
Whatever happens the US is going to be hated, so it has the choice to be hated for doing the right thing or for doing the selfish wrong thing.
I know which I would rather have happen.
I had a wonderful incident on the NYC Subway on Friday. I went out with a friend to ride some of the last R42's on the J so we could take pictures and video from the front video, an activity that is expressly permitted in the NYCTA rules and regulations.
After making a complete run inbound from Jamaica Center to Broad Street I was planning to catch the next train back out to Essex, but I ended up catching the same trainset with the same African American female operator. Anyway I go back to taking some video out the front and after a few stops the operator opens the door and begins to demand to know what my friend and I were doing.
Now for the last HOUR we had been standing at the front talking about all manner of NYC Subway minutia including historical routings, equipment preferences, service disruptions, etc, but apparently making a return trip indicated we were some sort of terrorist threat that she felt compelled to deal with. I try to explain how taking pictures was perfectly legal, but the woman launches into how with what had happened with Bin Laden I wasn't "supported" to be taking pictures.
Ah yes, that wonderful shadow government that passes these pseudo "supposed to" laws. At this point I could have whipped out my documentation that states that photography was permitted, but since I was getting off the train at the next stop I just told her that she could call the cops, which she then proceeded to do (after delaying the train to bitch us out of course).
Anyway my friend and I head to the rear of the car just because I didn't want to get into it with the woman and as we were walking the other passengers in the car tell us that she was wrong and we shouldn't stop whatever we were doing. I explain that we were honestly planning to get off at Essex and proceed to stand ready to do so. Well, we pull in and she holds the doors closed clearly expecting the police or whomever to show up. She does this for a good two minutes further delaying the train and angering the passengers in the lead car. Finally the conductor relents and opens the doors and we bail out onto the platform, no police anywhere to be seen and then proceed to make a speedy escape via the F train to midtown.
I am sure I could have handled the situation in a more optimal manner, but I'm counting this as a huge win because I am sure that I completely ruined this employee's faith in the "See Something, Say Something" system. She saw something, she said something and nobody gave a flying poop about it.
@bruce "If you ask amateurs to act as front-line security personnel, you shouldn't be surprised when you get amateur security."
That concept applies to so much in life.
One of my sayings is "crazy can make for fun *ex but there is a fine line between crazy and batsh*t crazy. It's not worth it."
The point is that security and many other things can be a little crazy. But it always moves to the really crazy before the pullback. Many who read this blog or are in the industry spot the crazy and warn...but it goes to the inevitable extreme lengths. Someone was asking for help with packages and they shut down the train station.
For example, an armoured vehicle (read limo) goes on base. It has mesh on tailpipe and don't even mention the funny looking wire harness in the back under carpet. The corporal can't do his trained cavity search and throws the whole inspection into chaos. Until senior leadership shows up. Nothing more sobering than a 18yo pointing an automatic weapon on ya.
Wouldn't an armoured vehicle contain the explosion nicely? BTW, don't say that to the 18yo above. No sense of humor. alas, I fear as I am turning into a grouchy old man. ;)
I can't believe nobody sees the fallacy in the post's title.
OBL's death didn't cause anything. People choose how they will react, sometimes consciously, sometimes not. But this spike didn't just magically happen all on its own, as a direct result of terminating OBL with extreme prejudice, with no intervening human action.
Of the 10,566 reports of suspicious objects, does anyone know how many were actually dangerous? Also, is there a breakdown of the costs of responding to these?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..