Risky Business?—Examining the Difference Between Safety and Security
In Beyond Fear, security consultant Bruce Schneier undertakes to teach the reader “to think about security.” That focus is the book’s strength and its limitation.
First, the limitation. The book refers to crimes, accidents and attacks, many of which would be fascinating to know about. But this book is not about any of those prospective events. It has a more practical purpose.
Thinking about security will be particularly valuable for anyone who has to make a decision about that—a business owner, perhaps, or a policymaker. Schneier lays out a set of questions to ask about any system: What is it trying to protect? From what? What good will it do? What problems will it create?
For example, door keys in Switzerland are made so that they cannot be easily duplicated. That increases security. The problem is that if you are locked out, it may be a bigger problem than in America.
Schneier is careful to distinguish between threat and risk. A threat is something that might happen. Risk also concerns the likelihood of it happening. Any skyscraper, anywhere, might be attacked with an airplane. Even after 9-11, for any given skyscraper, such an attack is not much of a risk.
“The goal isn’t to eliminate the risks,” Schneier writes, “but to reduce them to manageable levels.”
It is also to weigh and judge them. People tend to underestimate common risks and overestimate exotic ones. A Seattleite who goes camping in the dry country of Eastern Washington will worry more about rattlesnakes than road accidents, not thinking that only 15 people a year die of snakebite in all of the United States and about 40,000 from road accidents.
Rattlesnakes and road accidents are safety risks. Safety is about accidents, security about attackers. It may be worthwhile to think about both. A homeowner may reduce the chance of an intruder by buying a home alarm. But a parent can make a greater improvement in his family’s safety, Schneier says, by locking up guns, buckling up seat belts and teaching his kids how to swim.
Schneier has a common-sense view of technology. You have to have it, because your adversaries have it, but you can’t rely entirely on machines. He gives an example from our own back yard, the the apprehension in Port Angeles of terrorist Ahmed Ressam. He was not caught because of a computer. He was caught because U.S. Customs inspector Diana Dean asked him a few questions and felt “hinky” about him.
As Schneier goes through the various concepts of security—most of them common-sense ones—a cynic might note that he is in the security business, and that his book as a tremendous piece of marketing. So it is. But it also brings a new lens through which to view the past two years.
Much of the measures immediately after 9-11, says Schneier, were “security theater”—that is, things that were objectively useless but emotionally reassuring. One such measure was posting the National Guard at airports with rifles but (wisely) with no ammunition. And Schneier does not dismiss this: Americans needed to feel better, he says, because they were overreacting to the actual risk.
Even today, he says, “The security we’re getting against terrorism is largely ineffective, although it’s probably commensurate with the minimal level of risk that actually exists.”
What makes less sense, he says, is the idea that the American people need to trade away their liberty and privacy in order to be secure. In some cases that may be so, but generally, he says, a decentralized society is more secure than a centralized one. If each property owner or unit of government controls its own security, the systems will be different. The weakest link may be more vulnerable, but no terrorist will be able to bring the whole system down by striking at one point.