Everything We Know About Security Is Wrong
So says counterterrorism contrarian Bruce Schneier. And the Transportation Security Administration is listening.
In late July, Transportation Security Administration chief Kip Hawley announced a change in his agency's air travel screening policy: Effective August 4, cigarette lighters would no longer be banned from airplanes.
Explaining the measure in an interview with the New York Times, Hawley acknowledged that confiscating lighters at security checkpoints—the TSA's policy for the last two years in the wake of a failed shoe-bombing attempt—had been a waste of resources. Terrorists, he noted, might just as well ignite bombs on airplanes using small batteries (or, as he didn't note, matches).
"Taking lighters away is security theater," Hawley told the Times. "It trivializes the security process."
Among those struck by Hawley's about-face was Bruce Schneier, a Minneapolis man alternately called a "security guru" (The Economist), "the smartest guy in the room on security" (the ACLU), and "unquestionably the world's foremost security technologist" (Connections). Schneier, who wears the graying beard and thinning ponytail of a computer geek chieftain, didn't earn such accolades by mincing words.
"There have been exactly two things since 9/11 that have made air travel safer," Schneier said recently over spring rolls at a favorite Vietnamese restaurant on Nicollet Avenue. "Reinforcing the cockpit door and telling people to fight back in the event of an attack." After a brief pause, half-devoured roll in hand, he reconsidered. "Well, maybe three," he said. "I'm on the fence about sky marshals."
One thing Schneier isn't on the fence about is the billions of dollars that the TSA has spent making air travelers pour out their water, take off their shoes, and until recently, throw out their cigarette lighters. All of this, Schneier argues, might make people feel safer, but it does little to actually improve security.
Waiting for his bowl of pho to arrive, a triumphal smile crept across Schneier's face when he brought up Hawley's recent announcement. It wasn't just that the TSA head had shifted policy. It was also that phrase: "security theater." Schneier coined it back in 2003, to encapsulate what by his lights was a parade of new measures that conveyed safety but accomplished little.
Such elegantly blunt criticisms have helped make Schneier a leading counterterrorism contrarian. A prolific writer—he has published several books, maintains regular columns for Wired.com and Forbes.com, and has a blog and electronic newsletter with a combined monthly readership of about 200,000—Schneier is also a seasoned public speaker, having addressed, among other august bodies, the House of Lords, the World Economic Forum, and the U.S. Congress.
And that's just in his spare time. Schneier's paying job is chief technology officer for BT Counterpane, a network security company he founded in 1999 that last year was bought out for tens of millions of dollars. In addition, Schneier is quoted almost daily in one media outlet or another, on everything from data mining (usually a bad idea), to paperless voting (always a bad idea), to buying stuff with a credit card online (in the grand scheme of things, not such a bad idea).
But he's most passionate about the government's response to terrorism since September 11, which he says has been both out of proportion to the threat and overly governed by our collective fears. His pho placed in front of him, Schneier picked up his spoon and jabbed the air with it. "We're one terrorist attack away from a police state," he said.
On a recent morning at the Minneapolis-St. Paul International Airport, Schneier set out to foil airport security.
Dressed in a black blazer and jeans, Schneier approached a stone-faced Northwest Airlines ticket agent and informed her that he'd lost his ID.
"Do you have a credit card in your name?" she asked.
"No," Schneier answered.
In accordance with airline policy, the agent printed Schneier's boarding pass, scrawling "NO ID" on it. Schneier thanked her and headed to the security line, where he would receive extra scrutiny.
In the end, though, Schneier was allowed to board his plane with little difficulty, even though the airline had no idea who he was. In so doing, Schneier demonstrated why the so-called "No Fly" list—the backbone of the airport security system—is, as he puts it, "a complete waste of time."
The No Fly list is a confidential database of people deemed by the federal government to be too dangerous to fly under any circumstances (albeit, as Schneier wryly points out, "too innocent to arrest"). A secondary classification, the lesser-known "Selectee" list, requires passengers to submit to a luggage search and wanding. But because, as Schneier demonstrated, anyone can check in without an ID and be treated as a selectee (not to mention board as a normal passenger by bribing a DMV worker for a fake license, as some of the 9/11 hijackers did), the No Fly list is easily circumvented.
The government knows this, of course, and has pledged to overhaul the system by taking it out of the hands of the airlines. However, as Schneier points out, people will always lose their IDs, and there will always have to be a system in place to allow them to fly without one. Skeptical? Just imagine having your wallet stolen in Tulsa and being stuck there for weeks while waiting for a replacement driver's license. Imagine that happening to hundreds of people a day, and the subsequent angry calls to congressmen and congresswomen demanding a change in the law.
Which, says Schneier, is why any form of air travel security based on identifying passengers will never work. It will always be just a form of "security theater."
In a recent series of email exchanges with TSA chief Hawley that Schneier posted on his blog, he scolded Hawley for engaging in "cover your ass" security measures: A guy tries to blow up an airplane with his shoes, so now everyone has to take their shoes off; some people think of smuggling liquid explosives on a plane, so now everyone has to put liquids in three-ounce containers (unless the bottle is labeled "saline solution," which counts as medication, and thus can be brought aboard in a vaguely defined "reasonable quantity").
As Cory Doctorow, the co-editor of the popular tech blog Boing Boing, puts it: "Bruce has a particular gift for puncturing ridiculous statements about security."
But though Schneier has been winning converts, his views are hardly gospel in government circles. Clark Kent Ervin, the former inspector general of the Department of Homeland Security, accuses Schneier of downplaying the terrorist threat.
"It's true that the chance of being killed by a terror attack is much smaller than being stricken by cancer," says Ervin, who heads the homeland security program at the Aspen Institute, a Washington, D.C.-based think tank. "But it's comparing apples and brass buttons." Terror attacks, he says, "have a huge psychological as well as an economic impact. It's silly talk to say that the chances of being killed in a terrorist attack are so small, and to infer from that that we needn't worry about it."
Ultimately, Ervin says, Schneier's legacy may be to lull people into a false sense of security. "His kind of thinking might be excusable in a pre-9/11 world," Ervin says. "But in the post-9/11 world, it's irresponsible and dangerous."
Bruce Schneier has had a fascination with security since childhood. As a boy in Brooklyn in the 1960s, he would crack secret codes written for him by his father. When he got older, he found himself studying the placement of security cameras to figure out the best strategy for shoplifting (a purely intellectual exercise—he says he never followed through on the idea).
After graduating from SUNY Rochester with a degree in physics, Schneier spent the latter half of the 1980s at the Defense Department. He won't elaborate on his time there, other than to say it involved "implementing security solutions at military installations."
A few years later, in 1993, Schneier penned his first best-selling book. The mathematics-heavy Applied Cryptography quickly became the seminal how-to guide for writing ciphers—complex algorithms that scramble data, protecting it when sent from one computer to another.
In the years that followed, computer programmers—many looking to Schneier's book for instruction—designed ever-more-impenetrable ciphers, with an eye toward keeping the data of multinational companies secure.
This posed a problem for the U.S. government, which considered such so-called "strong crypto" a risk to national security. The Clinton administration, following in the footsteps of its predecessors, sought to put a stop to it, asserting that selling the encryption programs to foreign companies amounted to a breach of the International Traffic in Arms Regulations.
A loose affiliation of mathematicians, civil libertarians, and antigovernment hard-liners fought back, giving rise to what came to be known as the "Crypto Wars." In the ensuing public debate, Schneier found himself firmly in the fray, writing opinion papers and testifying before Senate and House committees.
"He could respond to the government's experts tit for tat," says Jim Dempsey, policy director for the Center for Technology and Democracy, which advocated for strong crypto. "And nobody could say that he didn't know what he was talking about, because he literally wrote the book on cryptography."
In 1999, after an appellate court ruled that restricting encryption was illegal, the Clinton administration surrendered. Encryption technology was allowed to flourish.
But as Schneier's co-combatants celebrated a hard-won victory, he found himself unable to join them. "We won the war," he says, "but it was the wrong war."
Schneier had realized that the most important component of any security system is not its strengths but its weaknesses. Strong crypto is nearly impossible to penetrate. But the computer, the network, and even the user are far more fallible.
Take, for example, the case of Dennis Alba and Mark Forrester. In 2001, the DEA investigated the middle-aged pair—who had become friends while in prison—on suspicion of setting up and running a large-scale, sophisticated Ecstasy ring in Escondido, California. The partners used code words to communicate and shielded their computer files with stong crypto. The DEA's extensive investigation included obtaining a search warrant to break into their office and install a "keystroke logger" on a computer. That piece of software, which records what's typed on the keyboard, enabled the government to get the key that unlocked their encryption. In 2005, both men were sentenced to 30 years in federal prison. (Forrester's conviction was later overturned on a technicality.)
The lesson was clear: All the crypto in the world is powerless to protect you if the front door is so easily pried open. Taking this to heart, Schneier, with a few million dollars of venture capital in tow, set up Counterpane Internet Security. The mission of the Silicon Valley-based firm was to monitor computer networks in much the same way ADT Home Security protects houses: by having human beings work in concert with technology.
J.P. Vossen, a senior engineer at Counterpane, was inspired to join the company after hearing Schneier speak at a computer security conference. "He can explain some counterintuitive stuff very clearly," Vossen says. "I like Bruce's approach. That's the largest reason I'm working here."
In the years that followed, Counterpane grew to a 115-employee firm worth tens of millions of dollars.
This is where Schneier may have lived happily ever after, as a successful businessman and computer security geek extraordinaire. But then came the events of September 11, and what Schneier calls the "silly security season."
Schneier's house, which has no more security than the locks on the doors, is a handsome stone structure on a leafy street across from Minnehaha Creek. Along with his wife, Karen Cooper, Schneier has lived here for the past 11 years. Most of the downstairs is one large open space, with no walls separating the living room, dining area, and sunroom, the last of which serves as Schneier's office.
Sitting near a window facing the creek on a recent afternoon, Schneier's blue eyes opened wide and his voice rose as he explained his frustration with how the media covers would-be terrorists. "We're just getting scared over idiots, like the London bombers," he argued, referring to the clique of foreign-born medical personnel in Britain who tried to set off three car bombs. "Nothing would have exploded in those cars. You would have had a bunch of hot nails."
Then there was the group of men who planned to blow up Kennedy airport in New York. "You ever been to Kennedy airport?" Schneier asked. "It's acres wide. You can't blow up Kennedy airport. And they had a stupid plan that wouldn't have worked. But we get all panicky. We end up saying, 'Oh God! These people are going to blow up Kennedy airport!'"
Such fears are examples of what Schneier calls "movie-plot threats"—grandiose scenarios that capture the imagination but are highly unlikely to succeed. "They're good for scaring people, but it's just silly to build national security policy around them," Schneier says.
On his blog last year, Schneier took issue with the idea that terrorists might target school buses. To protect against this dreamed-up threat, the Department of Homeland Security started training school bus drivers to be on the lookout for hijackers. In addition to being a waste of resources, Schneier pointed out, the measure may have actually put kids at greater risk, because bus drivers distracted by phantom terrorists could be more vulnerable to the much more realistic danger of oncoming traffic.
For an example of how to spend money appropriately, Schneier says one need look no further than the I-35W bridge collapse. By investing federal Homeland Security money in communications equipment and a disaster preparedness plan—a response mechanism useful in any type of attack or catastrophe—local and state authorities were able to coordinate their efforts and, in all likelihood, save lives.
"If they'd have put all that money into protecting the Foshay Tower, it would have been a complete waste," Schneier says.
In January, Schneier visited his newly born godson, Nicholas Quillen Perry, at Abbott Northwestern hospital in Minneapolis. As he looked at the snoozing infants in the maternity ward, he noticed that each one had an electronic bracelet around its ankle, which would trigger an alarm if the newborn were taken out of the ward.
Sizing up this anti-infant-abduction measure, Schneier was initially struck by the stupidity of it. Hospital baby snatchings, after all, are extremely rare. Since 1983, there have been fewer than 250 reported cases in the United States, out of more than 80 million babies born in that time. In other words, the chance of a baby being abducted from a hospital is less than three in a million.
But as Schneier watched the babies being removed from their cribs for one test or another, he began to wonder if this blatant display of security theater was such a bad thing after all. Parents of newborns are in a highly anxious state, prone to feeling less secure than they really are. Electronic bracelets, while not providing much actual security, can do wonders for the emotional well-being of the frazzled parents.
Which has led to Schneier's most recent revelation: Security theater can actually be a good thing when it brings our feelings of safety into line with the actual threat.
Take the tamper-evident seals on over-the-counter medicine. In 1982, seven people in the Chicago area died after someone slipped cyanide into packages of Extra Strength Tylenol. Responding to widespread fears, manufacturers introduced tamper-evident seals. Although these were security theater—they don't protect against syringes, for instance—the sense of safety they brought made the public's comfort level come back in line with the actual threat, which was, statistically speaking, quite minimal.
Sitting at a coffee shop around the corner from his house, Schneier considered the implications of his turnabout. Here he was, having spent years deriding security theater in all its manifestations, now saying that, in some cases, it's actually a good thing.
Did that mean he owed TSA chief Kip Hawley an apology?
Schneier let out a chortle. His answer was true to form: so self-evident that it left the questioner feeling somewhat silly for even asking. The baby bracelets and tamper-evident medications, Schneier explained, are there to calm people. Banning lighters but not matches does nothing to relax fears.
"It's bad theater," Schneier said. "Everyone sees what the TSA's doing is a joke."