U.S. Ports Raise Proxy Problem
By Bruce Schneier
Does it make sense to surrender management, including security, of six U.S. ports to a Dubai-based company? This question has set off a heated debate between the administration and Congress, as members of both parties condemned the deal.
Most of the rhetoric is political posturing, but there's an interesting security issue embedded in the controversy. It's about proxies, trust, and transparency.
A proxy is a concept I discussed in my book Beyond Fear. It's a person or organization that acts on your behalf in some way. It's how complex societies work -- it's impossible for us all to do everything or make every decision, so we cede some authority to proxies.
Whether it's the cook at the restaurant where you're eating, the suppliers who make your business run or your government, proxies are everywhere. Doctors, stockbrokers, hotel chains and government regulators like the FDA and the FAA are all proxies.
Sometimes proxies act in our behalf simply because we can't do everything. But more often we have these proxies because we don't have the expertise to do the work ourselves.
Most security works through proxies. We just don't have the expertise to make decisions about airline security, police coverage and military readiness, so we rely on others. We all hope our proxies make the same decisions we would have, but our only choice is to trust -- to rely on, really -- our proxies.
Here's the paradox: Even though we are forced to rely on them, we may or may not trust them. When we trust our proxies, we come to that trust in a variety of ways -- sometimes through experience, sometimes through recommendations from a source we trust. Sometimes it's third-party audit, affiliations in professional societies or a gut feeling. But when it comes to government, trust is based on transparency. The more our government is based on secrecy, the more we are forced to "just trust" it and the less we actually trust it.
The security of U.S. ports involves a lot of proxies. We, the people, gave our proxy to our elected officials. They passed laws -- the Maritime Transportation Security Act (a U.S. law) and the International Ship and Port Facility Security codes -- regulating security at these ports, and tasked the Coast Guard, another proxy, to oversee that.
The same elected officials (or perhaps some different elected officials, through some other bureaucratic proxy entirely) have hired yet another proxy -- a company based in the United Kingdom called Peninsular and Oriental Steam Navigation Company (P&O) -- to manage the ports in New York, New Jersey, Philadelphia, Baltimore, Miami and New Orleans.
And now the officers of P&O, acting as proxies for the company's shareholders, agreed to be absorbed by yet another proxy: Thunder FZE, itself a subsidiary of another company called Dubai Ports World, which is a corporation based in the United Arab Emirates.
Still another proxy, the Committee on Foreign Investment in the United States, part of the Treasury Department, approved the sale. And finally, both P&O and Thunder FZE hire thousands of proxies -- employees, suppliers and partners -- to carry out the actual jobs at the various ports they operate.
This is a complicated web of proxies, but it's a complicated system. We have trouble trusting it, because so much is shrouded in secrecy. We don't know what kind of security these ports have. We hear snippets like "only 5 percent of incoming cargo is inspected," but we don't know more than that. We read that security aspects of the P&O sale were "rigorously reviewed," and that the review was "cursory."
We don't know what kind of security there is in the UAE, Dubai Ports World or the subsidiary that is actually doing the work. We have no choice but to rely on these proxies, yet we have no basis by which to trust them.
Pull aside the rhetoric, and this is everyone's point. There are those who don't trust the Bush administration and believe its motivations are political. There are those who don't trust the UAE because of its terrorist ties -- two of the 9/11 terrorists and some of the funding for the attack came out of that country -- and those who don't trust it because of racial prejudices. There are those who don't trust security at our nation's ports generally and see this as just another example of the problem.
The solution is openness. The Bush administration needs to better explain how port security works, and the decision process by which the sale of P&O was approved. If this deal doesn't compromise security, voters -- at least the particular lawmakers we trust -- need to understand that.
Regardless of the outcome of the Dubai deal, we need more transparency in how our government approaches counter-terrorism in general. Secrecy simply isn't serving our nation well in this case. It's not making us safer, and it's properly reducing faith in our government.
Proxies are a natural outgrowth of society, an inevitable byproduct of specialization. But our proxies are not us and they have different motivations -- they simply won't make the same security decisions as we would. Whether a king is hiring mercenaries, an organization is hiring a network security company or a person is asking some guy to watch his bags while he gets a drink of water, successful security proxies are based on trust. And when it comes to government, trust comes through transparency and openness.
Think of it as security from proxies.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.