Entries Tagged "DHS"

Page 14 of 39

DHS Cybersecurity Awareness Campaign Challenge

This is a little hokey, but better them than the NSA:

The National Cybersecurity Awareness Campaign Challenge Competition is designed to solicit ideas from industry and individuals alike on how best we can clearly and comprehensively discuss cybersecurity with the American public.

Key areas that should be factored into the competition are the following:

  • Teamwork
  • Ability to quantify the distribution method
  • Ability to quantify the receipt of message
  • Solution may under no circumstance create spam
  • Use of Web 2.0 Technology
  • Feedback mechanism
  • List building
  • Privacy protection
  • Repeatability
  • Transparency
  • Message

It should engage the Private Sector and Industry leaders to develop their own campaign strategy and metrics to track how to get a unified cyber security message out to the American public.

Deadline is end of April, if you want to submit something. “Winners of the Challenge will be invited to an event in Washington D.C. in late May or early June.” I wonder what kind of event.

Posted on April 2, 2010 at 6:14 AMView Comments

Dead on the No-Fly List

Such “logic“:

If a person on the no-fly list dies, his name could stay on the list so that the government can catch anyone trying to assume his identity.

But since a terrorist might assume anyone’s identity, by the same logic we should put everyone on the no-fly list.

Otherwise, it’s an interesting article on how the no-fly list works.

Posted on March 24, 2010 at 6:38 AMView Comments

TSA Logo Contest Winner

In January I announced a contest to redesign the TSA logo. Last week I announced the five finalists—chosen by Patrick Smith from "Ask the Pilot" and myself—and asked you all to vote on the winner.

Four hundred and seven votes later, we have a tie. No really; we have a tie. Rhys Gibson and “I love to fly and it shows” have 135 votes each. (It’s still a tie at 141 votes each if I give half credit for all split votes.) Both are well ahead of the third place winner, with 81 votes. There were a few ambiguous comments that could possibly break the tie, but rather than scrutinize the hanging chad any more closely, I’m going to appeal to the judges to cast the deciding votes.

Although both logos are excellent, both Patrick Smith and I vote for Rhys Gibson.

U.S. Department of Security Theatre logo

Congratulations. Send me your physical address and we’ll get you your prizes.

Posted on February 22, 2010 at 2:00 PMView Comments

TSA Logo Contest Finalists

Last month I announced a contest to redesign the TSA logo. Here are the finalists. Clicking on them will bring up a larger, and easier to read, version.

photo
Travis McHale
photo
Will Imholte
photo
Rhys Gibson
photo
Kurushio
photo
I love to fly and it shows


Vote in the comments. The winner will receive a copy of our most recent books, a fake boarding pass on any flight for any date, and an empty 12-ounce bottle labeled “saline” that you can refill and get through any TSA security checkpoint.

Voting will close at noon PST on Sunday, February 21.

EDITED TO ADD (2/22): Winner here.

Posted on February 14, 2010 at 3:28 PMView Comments

Fixing Intelligence Failures

President Obama, in his speech last week, rightly focused on fixing the intelligence failures that resulted in Umar Farouk Abdulmutallab being ignored, rather than on technologies targeted at the details of his underwear-bomb plot. But while Obama’s instincts are right, reforming intelligence for this new century and its new threats is a more difficult task than he might like. We don’t need new technologies, new laws, new bureaucratic overlords, or—for heaven’s sake—new agencies. What prevents information sharing among intelligence organizations is the culture of the generation that built those organizations.

The U.S. intelligence system is a sprawling apparatus, spanning the FBI and the State Department, the CIA and the National Security Agency, and the Department of Homeland Security—itself an amalgamation of two dozen different organizations—designed and optimized to fight the Cold War. The single, enormous adversary then was the Soviet Union: as bureaucratic as they come, with a huge budget, and capable of very sophisticated espionage operations. We needed to defend against technologically advanced electronic eavesdropping operations, their agents trying to bribe or seduce our agents, and a worldwide intelligence gathering capability that hung on our every word.

In that environment, secrecy was paramount. Information had to be protected by armed guards and double fences, shared only among those with appropriate security clearances and a legitimate “need to know,” and it was better not to transmit information at all than to transmit it insecurely.

Today’s adversaries are different. There are still governments, like China, who are after our secrets. But the secrets they’re after are more often corporate than military, and most of the other organizations of interest are like al Qaeda: decentralized, poorly funded and incapable of the intricate spy versus spy operations the Soviet Union could pull off.

Against these adversaries, sharing is far more important than secrecy. Our intelligence organizations need to trade techniques and expertise with industry, and they need to share information among the different parts of themselves. Today’s terrorist plots are loosely organized ad hoc affairs, and those dots that are so important for us to connect beforehand might be on different desks, in different buildings, owned by different organizations.

Critics have pointed to laws that prohibited inter-agency sharing but, as the 9/11 Commission found, the law allows for far more sharing than goes on. It doesn’t happen because of inter-agency rivalries, a reliance on outdated information systems, and a culture of secrecy. What we need is an intelligence community that shares ideas and hunches and facts on their versions of Facebook, Twitter and wikis. We need the bottom-up organization that has made the Internet the greatest collection of human knowledge and ideas ever assembled.

The problem is far more social than technological. Teaching your mom to “text” and your dad to Twitter doesn’t make them part of the Internet generation, and giving all those cold warriors blogging lessons won’t change their mentality—or the culture. The reason this continues to be a problem, the reason President George W. Bush couldn’t change things even after the 9/11 Commission came to much the same conclusions as President Obama’s recent review did, is generational. The Internet is the greatest generation gap since rock and roll, and it’s just as true inside government as out. We might have to wait for the elders inside these agencies to retire and be replaced by people who grew up with the Internet.

A version of this op-ed previously appeared in the San Francisco Chronicle.

I wrote about this in 2002.

EDITED TO ADD (1/17): Another opinion.

Posted on January 16, 2010 at 7:13 AMView Comments

Airplane Security Commentary

Excellent commentary from The Register:

As the smoke clears following the case of Umar Farouk Abdul Mutallab, the failed Christmas Day “underpants bomber” of Northwest Airlines Flight 253 fame, there are just three simple points for us Westerners to take away.

First: It is completely impossible to prevent terrorists from attacking airliners.

Second: This does not matter. There is no need for greater efforts on security.

Third: A terrorist set fire to his own trousers, suffering eyewateringly painful burns to what Australian cricket commentators sometimes refer to as the “groinal area”, and nobody seems to be laughing. What’s wrong with us?

Posted on January 13, 2010 at 2:55 PMView Comments

Post-Underwear-Bomber Airport Security

In the headlong rush to “fix” security after the Underwear Bomber’s unsuccessful Christmas Day attack, there’s been far too little discussion about what worked and what didn’t, and what will and will not make us safer in the future.

The security checkpoints worked. Because we screen for obvious bombs, Umar Farouk Abdulmutallab—or, more precisely, whoever built the bomb—had to construct a far less reliable bomb than he would have otherwise. Instead of using a timer or a plunger or a reliable detonation mechanism, as would any commercial user of PETN, he had to resort to an ad hoc and much more inefficient homebrew mechanism: one involving a syringe and 20 minutes in the lavatory and we don’t know exactly what else. And it didn’t work.

Yes, the Amsterdam screeners allowed Abdulmutallab onto the plane with PETN sewn into his underwear, but that’s not a failure, either. There is no security checkpoint, run by any government anywhere in the world, designed to catch this. It isn’t a new threat; it’s more than a decade old. Nor is it unexpected; anyone who says otherwise simply isn’t paying attention. But PETN is hard to explode, as we saw on Christmas Day.

Additionally, the passengers on the airplane worked. For years, I’ve said that exactly two things have made us safer since 9/11: reinforcing the cockpit door and convincing passengers that they need to fight back. It was the second of these that, on Christmas Day, quickly subdued Abdulmutallab after he set his pants on fire.

To the extent security failed, it failed before Abdulmutallab even got to the airport. Why was he issued an American visa? Why didn’t anyone follow up on his father’s tip? While I’m sure there are things to be improved and fixed, remember that everything is obvious in hindsight. After the fact, it’s easy to point to the bits of evidence and claim that someone should have “connected the dots.” But before the fact, when there are millions of dots—some important but the vast majority unimportant—uncovering plots is a lot harder.

Despite this, the proposed fixes focus on the details of the plot rather than the broad threat. We’re going to install full-body scanners, even though there are lots of ways to hide PETN—stuff it in a body cavity, spread it thinly on a garment—from the machines. We’re going to profile people traveling from 14 countries, even though it’s easy for a terrorist to travel from a different country. Seating requirements for the last hour of flight were the most ridiculous example.

The problem with all these measures is that they’re only effective if we guess the plot correctly. Defending against a particular tactic or target makes sense if tactics and targets are few. But there are hundreds of tactics and millions of targets, so all these measures will do is force the terrorists to make a minor modification to their plot.

It’s magical thinking: If we defend against what the terrorists did last time, we’ll somehow defend against what they do next time. Of course this doesn’t work. We take away guns and bombs, so the terrorists use box cutters. We take away box cutters and corkscrews, and the terrorists hide explosives in their shoes. We screen shoes, they use liquids. We limit liquids, they sew PETN into their underwear. We implement full-body scanners, and they’re going to do something else. This is a stupid game; we should stop playing it.

But we can’t help it. As a species, we’re hardwired to fear specific stories—terrorists with PETN underwear, terrorists on subways, terrorists with crop dusters—and we want to feel secure against those stories. So we implement security theater against the stories, while ignoring the broad threats.

What we need is security that’s effective even if we can’t guess the next plot: intelligence, investigation, and emergency response. Our foiling of the liquid bombers demonstrates this. They were arrested in London, before they got to the airport. It didn’t matter if they were using liquids—which they chose precisely because we weren’t screening for them—or solids or powders. It didn’t matter if they were targeting airplanes or shopping malls or crowded movie theaters. They were arrested, and the plot was foiled. That’s effective security.

Finally, we need to be indomitable. The real security failure on Christmas Day was in our reaction. We’re reacting out of fear, wasting money on the story rather than securing ourselves against the threat. Abdulmutallab succeeded in causing terror even though his attack failed.

If we refuse to be terrorized, if we refuse to implement security theater and remember that we can never completely eliminate the risk of terrorism, then the terrorists fail even if their attacks succeed.

This essay previously appeared on Sphere, the AOL.com news site.

EDITED TO ADD (1/8): Similar sentiment.

Posted on January 7, 2010 at 1:18 PMView Comments

Another Contest: Fixing Airport Security

Slate is hosting an airport security suggestions contest: ideas “for making airport security more effective, more efficient, or more pleasant.” Deadline is midday Friday.

I had already submitted a suggestion before I was asked to be a judge. Since I’m no longer eligible, here’s what I sent them:

Reduce the TSA’s budget, and spend the money on:

1. Intelligence. Security measures that focus on specific tactics or targets are a waste of money unless we guess the next attack correctly. Security measures that just force the terrorists to make a minor change in their tactics or targets is not money well spent.

2. Investigation. Since the terrorists deliberately choose plots that we’re not looking for, the best security is to stop plots before they get to the airport. Remember the arrest of the London liquid bombers.

3. Emergency response. Terrorism’s harm depends more on our reactions to attacks than the attacks themselves. We’re naturally resilient, but how we respond in those first hours and days is critical.

And as an added bonus, all of these measures protect us against non-airplane terrorism as well. All we have to do is stop focusing on specific movie plots, and start thinking about the overall threat.

Probably not what they were looking for, and certainly not anything the government is even going to remotely consider—but the smart solution all the same.

Posted on January 7, 2010 at 10:53 AMView Comments

Nate Silver on the Risks of Airplane Terrorism

Over at fivethirtyeight.com, Nate Silver crunches the numbers and concludes that, at least as far as terrorism is concerned, air travel is safer than it’s ever been:

In the 2000s, a total of 469 passengers (including crew and terrorists) were killed worldwide as the result of Violent Passenger Incidents, 265 of which were on 9/11 itself. No fatal incidents have occurred since nearly simultaneous bombings of two Russian aircraft on 8/24/2004; this makes for the longest streak without a fatal incident since World War II. The overall death toll during the 2000s is about the same as it was during the 1960s, and substantially less than in the 1970s and 1980s, when violent incidents peaked. The worst individual years were 1985, 1988 and 1989, in that order; 2001 ranks fourth.

Of course, there is a lot more air travel now than there was a couple of decades ago. Although worldwide data is difficult to obtain, U.S. air travel generally expanded at rates of 10-15% per year from the 1930s through 9/11. If we assume that U.S. air traffic represents about a third of the worldwide total (the U.S. share of global GDP, which is probably a reasonable proxy, has fairly consistently been between 26-28% during this period), we can estimate the number of deaths from Violent Passenger Incidents per one billion passenger boardings. By this measure, the 2000s tied the 1990s for being the safest on record, each of which were about six times safer than any previous decade. About 22 passengers per one billion enplanements were killed as the result of VPIs during the 2000s; this compares with a rate of about 191 deaths per billion enplanements during the 1960s.

Why? Because over the past decade, the risk of airplane terrorism has been very low:

Over the past decade, according to BTS, there have been 99,320,309 commercial airline departures that either originated or landed within the United States. Dividing by six, we get one terrorist incident per 16,553,385 departures.

These departures flew a collective 69,415,786,000 miles. That means there has been one terrorist incident per 11,569,297,667 mles flown. This distance is equivalent to 1,459,664 trips around the diameter of the Earth, 24,218 round trips to the Moon, or two round trips to Neptune.

Assuming an average airborne speed of 425 miles per hour, these airplanes were aloft for a total of 163,331,261 hours. Therefore, there has been one terrorist incident per 27,221,877 hours airborne. This can also be expressed as one incident per 1,134,245 days airborne, or one incident per 3,105 years airborne.

There were a total of 674 passengers, not counting crew or the terrorists themselves, on the flights on which these incidents occurred. By contrast, there have been 7,015,630,000 passenger enplanements over the past decade. Therefore, the odds of being on given departure which is the subject of a terrorist incident have been 1 in 10,408,947 over the past decade. By contrast, the odds of being struck by lightning in a given year are about 1 in 500,000. This means that you could board 20 flights per year and still be less likely to be the subject of an attempted terrorist attack than to be struck by lightning.

In 2008, 37,000 people died in automobile accidents—the lowest number since 1961. Even so, that’s more than a 9/11 worth of fatalities every month, month after month, year after year.

There are all sorts of psychological biases that cause us to both misjudge risk and overreact to rare risks, but we can do better than that if we stop and think rationally.

Posted on January 6, 2010 at 2:59 PMView Comments

1 12 13 14 15 16 39

Sidebar photo of Bruce Schneier by Joe MacInnis.