Entries Tagged "economics of security"

Page 15 of 39

Terrorists Placing Fake Bombs in Public Places

Supposedly, the latest terrorist tactic is to place fake bombs—suspicious looking bags, backpacks, boxes, and coolers—in public places in an effort to paralyze the city and probe our defenses. The article doesn’t say whether or not this has actually ever happened, only that the FBI is warning of the tactic.

Citing an FBI informational document, ABC News reports a so called “battle of suspicious bags” is being encouraged on a jihadist website.

I have no doubt that this may happen, but I’m sure these are not actual terrorists doing the planting. We’re so easy to terrorize that anyone can play; this is the equivalent of hacking in the real world. One solution is to continue to overreact, and spend even more money on these fake threats. The other is to refuse to be terrorized.

Posted on June 9, 2010 at 6:24 AMView Comments

Canada Spending $1B on Security for G8/G20 Summit in June

Amazing:

The Canadian government disclosed Tuesday that the total price tag to police the elite Group of Eight meeting in Muskoka, as well as the bigger-tent Group of 20 summit starting a day later in downtown Toronto, has already climbed to more than $833-million. It said it’s preparing to spend up to $930-million for the three days of meetings that start June 25.

That price tag is more than 20 times the total reported cost for the April, 2009, G20 summit in Britain, with the government estimating a cost of $30-million, and seems much higher than security costs at previous summits ­ the Gleneagles G8 summit in Scotland, 2005, was reported to have spent $110-million on security, while the estimate for the 2008 G8 gathering in Japan was $381-million.

These numbers are crazy. There simply isn’t any justification for this kind of spending.

By comparison, the estimated total cost of security for the 17-day 2010 Winter Olympics in Vancouver was just over $898-million.

Think of all the actual security you can buy for that money.

EDITED TO ADD (6/12): Two links detailing how the money was probably spent. Pittsburgh’s cost, less than a year before, was estimated at $18 million.

EDITED TO ADD (6/28): The total seems to be $1.2B. I haven’t found any breakdown of the spending that differentiates between operational costs and capital improvements. If, for example, the Toronto police all got new radios out of this budget, those radios will continue to provide benefits for the city of Toronto long after the summit. On the other hand, money spent on extra security guards for the week provides no ongoing benefit.

My best quote to the media: “If it really costs this much to secure a meeting of the world’s leaders, maybe they should try video conferencing.”

Posted on May 31, 2010 at 8:58 AM

Outsourcing to an Indian Jail

This doesn’t seem like the best idea:

Authorities in the southern Indian state of Andhra Pradesh are planning to set up an outsourcing unit in a jail.

The unit will employ 200 educated convicts who will handle back office operations like data entry, and process and transmit information.

It’s not necessarily a bad idea, as long as misusable information isn’t being handled by the criminals.

The unit, which is expected to undertake back-office work for banks, will work round the clock with three shifts of 70 staff each.

Okay, definitely a bad idea.

Working in the unit will also be financially rewarding for the prisoners.

I’ll bet.

Posted on May 18, 2010 at 7:29 AMView Comments

Why Aren't There More Terrorist Attacks?

As the details of the Times Square car bomb attempt emerge in the wake of Faisal Shahzad’s arrest Monday night, one thing has already been made clear: Terrorism is fairly easy. All you need is a gun or a bomb, and a crowded target. Guns are easy to buy. Bombs are easy to make. Crowded targets—not only in New York, but all over the country—are easy to come by. If you’re willing to die in the aftermath of your attack, you could launch a pretty effective terrorist attack with a few days of planning, maybe less.

But if it’s so easy, why aren’t there more terrorist attacks like the failed car bomb in New York’s Times Square? Or the terrorist shootings in Mumbai? Or the Moscow subway bombings? After the enormous horror and tragedy of 9/11, why have the past eight years been so safe in the U.S.?

There are actually several answers to this question. One, terrorist attacks are harder to pull off than popular imagination—and the movies—lead everyone to believe. Two, there are far fewer terrorists than the political rhetoric of the past eight years leads everyone to believe. And three, random minor terrorist attacks don’t serve Islamic terrorists’ interests right now.

Hard to Pull Off

Terrorism sounds easy, but the actual attack is the easiest part.

Putting together the people, the plot and the materials is hard. It’s hard to sneak terrorists into the U.S. It’s hard to grow your own inside the U.S. It’s hard to operate; the general population, even the Muslim population, is against you.

Movies and television make terrorist plots look easier than they are. It’s hard to hold conspiracies together. It’s easy to make a mistake. Even 9/11, which was planned before the climate of fear that event engendered, just barely succeeded. Today, it’s much harder to pull something like that off without slipping up and getting arrested.

Few Terrorists

But even more important than the difficulty of executing a terrorist attack, there aren’t a lot of terrorists out there. Al-Qaida isn’t a well-organized global organization with movie-plot-villain capabilities; it’s a loose collection of people using the same name. Despite the post-9/11 rhetoric, there isn’t a terrorist cell in every major city. If you think about the major terrorist plots we’ve foiled in the U.S.—the JFK bombers, the Fort Dix plotters—they were mostly amateur terrorist wannabes with no connection to any sort of al-Qaida central command, and mostly no ability to effectively carry out the attacks they planned.

The successful terrorist attacks—the Fort Hood shooter, the guy who flew his plane into the Austin IRS office, the anthrax mailer—were largely nut cases operating alone. Even the unsuccessful shoe bomber, and the equally unsuccessful Christmas Day underwear bomber, had minimal organized help—and that help originated outside the U.S.

Terrorism doesn’t occur without terrorists, and they are far rarer than popular opinion would have it.

Small Attacks Aren’t Enough

Lastly, and perhaps most subtly, there’s not a lot of value in unspectacular terrorism anymore.

If you think about it, terrorism is essentially a PR stunt. The death of innocents and the destruction of property isn’t the goal of terrorism; it’s just the tactic used. And acts of terrorism are intended for two audiences: for the victims, who are supposed to be terrorized as a result, and for the allies and potential allies of the terrorists, who are supposed to give them more funding and generally support their efforts.

An act of terrorism that doesn’t instill terror in the target population is a failure, even if people die. And an act of terrorism that doesn’t impress the terrorists’ allies is not very effective, either.

Fortunately for us and unfortunately for the terrorists, 9/11 upped the stakes. It’s no longer enough to blow up something like the Oklahoma City Federal Building. Terrorists need to blow up airplanes or the Brooklyn Bridge or the Sears Tower or JFK airport—something big to impress the folks back home. Small no-name targets just don’t cut it anymore.

Note that this is very different than terrorism by an occupied population: the IRA in Northern Ireland, Iraqis in Iraq, Palestinians in Israel. Setting aside the actual politics, all of these terrorists believe they are repelling foreign invaders. That’s not the situation here in the U.S.

So, to sum up: If you’re just a loner wannabe who wants to go out with a bang, terrorism is easy. You’re more likely to get caught if you take a long time to plan or involve a bunch of people, but you might succeed. If you’re a representative of al-Qaida trying to make a statement in the U.S., it’s much harder. You just don’t have the people, and you’re probably going to slip up and get caught.

This essay originally appeared on AOL News.

EDITED TO ADD (5/5): A similar sentiment about the economic motivations of terrorists.

Posted on May 5, 2010 at 7:09 AMView Comments

Preventing Terrorist Attacks in Crowded Areas

On the New York Times Room for Debate Blog, I—along with several other people—was asked about how to prevent terrorist attacks in crowded areas. This is my response.

In the wake of Saturday’s failed Times Square car bombing, it’s natural to ask how we can prevent this sort of thing from happening again. The answer is stop focusing on the specifics of what actually happened, and instead think about the threat in general.

Think about the security measures commonly proposed. Cameras won’t help. They don’t prevent terrorist attacks, and their forensic value after the fact is minimal. In the Times Square case, surely there’s enough other evidence—the car’s identification number, the auto body shop the stolen license plates came from, the name of the fertilizer store—to identify the guy. We will almost certainly not need the camera footage. The images released so far, like the images in so many other terrorist attacks, may make for exciting television, but their value to law enforcement officers is limited.

Check points won’t help, either. You can’t check everybody and everything. There are too many people to check, and too many train stations, buses, theaters, department stores and other places where people congregate. Patrolling guards, bomb-sniffing dogs, chemical and biological weapons detectors: they all suffer from similar problems. In general, focusing on specific tactics or defending specific targets doesn’t make sense. They’re inflexible; possibly effective if you guess the plot correctly, but completely ineffective if you don’t. At best, the countermeasures just force the terrorists to make minor changes in their tactic and target.

It’s much smarter to spend our limited counterterrorism resources on measures that don’t focus on the specific. It’s more efficient to spend money on investigating and stopping terrorist attacks before they happen, and responding effectively to any that occur. This approach works because it’s flexible and adaptive; it’s effective regardless of what the bad guys are planning for next time.

After the Christmas Day airplane bombing attempt, I was asked how we can better protect our airplanes from terrorist attacks. I pointed out that the event was a security success—the plane landed safely, nobody was hurt, a terrorist was in custody—and that the next attack would probably have nothing to do with explosive underwear. After the Moscow subway bombing, I wrote that overly specific security countermeasures like subway cameras and sensors were a waste of money.

Now we have a failed car bombing in Times Square. We can’t protect against the next imagined movie-plot threat. Isn’t it time to recognize that the bad guys are flexible and adaptive, and that we need the same quality in our countermeasures?

I know, nothing I haven’t said many times before.

Steven Simon likes cameras, although his arguments are more movie-plot than real. Michael Black, Noah Shachtman, Michael Tarr, and Jeffrey Rosen all write about the limitations of security cameras. Paul Ekman wants more people. And Richard Clarke has a nice essay about how we shouldn’t panic.

Posted on May 4, 2010 at 1:31 PMView Comments

Security for Implantable Medical Devices

Interesting study: “Patients, Pacemakers, and Implantable Defibrillators: Human Values and Security for Wireless Implantable Medical Devices,” Tamara Denning, Alan Borning, Batya Friedman, Brian T. Gill, Tadayoshi Kohno, and William H. Maisel.

Abstract: Implantable medical devices (IMDs) improve patients’ quality of life and help sustain their lives. In this study, we explore patient views and values regarding their devices to inform the design of computer security for wireless IMDs. We interviewed 13 individuals with implanted cardiac devices. Key questions concerned the evaluation of 8 mockups of IMD security systems. Our results suggest that some systems that are technically viable are nonetheless undesirable to patients. Patients called out a number of values that affected their attitudes towards the systems, including perceived security, safety, freedom from unwanted cultural and historical associations, and self-image. In our analysis, we extend the Value Sensitive Design value dams and flows technique in order to suggest multiple, complementary systems; in our discussion, we highlight some of the usability, regulatory, and economic complexities that arise from offering multiple options. We conclude by offering design guidelines for future security systems for IMDs.

Posted on April 15, 2010 at 1:55 PMView Comments

Externalities and Identity Theft

Chris Hoofnagle has a new paper: “Internalizing Identity Theft.” Basically, he shows that one of the problems is that lenders extend credit even when credit applications are sketchy.

From an article on the work:

Using a 2003 amendment to the Fair Credit Reporting Act that allows victims of ID theft to ask creditors for the fraudulent applications submitted in their names, Mr. Hoofnagle worked with a small sample of six ID theft victims and delved into how they were defrauded.

Of 16 applications presented by imposters to obtain credit or medical services, almost all were rife with errors that should have suggested fraud. Yet in all 16 cases, credit or services were granted anyway.

In the various cases described in the paper, which was published on Wednesday in The U.C.L.A. Journal of Law and Technology, one victim found four of six fraudulent applications submitted in her name contained the wrong address; two contained the wrong phone number and one the wrong date of birth.

Another victim discovered that his imposter was 70 pounds heavier, yet successfully masqueraded as him using what appeared to be his stolen driver’s license, and in one case submitted an incorrect Social Security number.

This is a textbook example of an economic externality. Because most of the cost of identity theft is borne by the victim—even with the lender reimbursing the victim if pushed to—the lenders make the trade-off that’s best for their business, and that means issuing credit even in marginal situations. They make more money that way.

If we want to reduce identity theft, the only solution is to internalize that externality. Either give victims the ability to sue lenders who issue credit in their names to identity thieves, or pass a law with penalties if lenders do this.

Among the ways to move the cost of the crime back to issuers of credit, Mr. Hoofnagle suggests that lenders contribute to a fund that will compensate victims for the loss of their time in resolving their ID theft problems.

Posted on April 14, 2010 at 6:57 AMView Comments

The Effectiveness of Air Marshals

Air marshals are being arrested faster than air marshals are making arrests.

Actually, there have been many more arrests of Federal air marshals than that story reported, quite a few for felony offenses. In fact, more air marshals have been arrested than the number of people arrested by air marshals.

We now have approximately 4,000 in the Federal Air Marshals Service, yet they have made an average of just 4.2 arrests a year since 2001. This comes out to an average of about one arrest a year per 1,000 employees.

Now, let me make that clear. Their thousands of employees are not making one arrest per year each. They are averaging slightly over four arrests each year by the entire agency. In other words, we are spending approximately $200 million per arrest. Let me repeat that: we are spending approximately $200 million per arrest.

Posted on April 8, 2010 at 6:22 AMView Comments

Should the Government Stop Outsourcing Code Development?

Information technology is increasingly everywhere, and it’s the same technologies everywhere. The same operating systems are used in corporate and government computers. The same software controls critical infrastructure and home shopping. The same networking technologies are used in every country. The same digital infrastructure underpins the small and the large, the important and the trivial, the local and the global; the same vendors, the same standards, the same protocols, the same applications.

With all of this sameness, you’d think these technologies would be designed to the highest security standard, but they’re not. They’re designed to the lowest or, at best, somewhere in the middle. They’re designed sloppily, in an ad hoc manner, with efficiency in mind. Security is a requirement, more or less, but it’s a secondary priority. It’s far less important than functionality, and security is what gets compromised when schedules get tight.

Should the government—ours, someone else’s?—stop outsourcing code development? That’s the wrong question to ask. Code isn’t magically more secure when it’s written by someone who receives a government paycheck than when it’s written by someone who receives a corporate paycheck. It’s not magically less secure when it’s written by someone who speaks a foreign language, or is paid by the hour instead of by salary. Writing all your code in-house isn’t even a viable option anymore; we’re all stuck with software written by who-knows-whom in who-knows-which-country. And we need to figure out how to get security from that.

The traditional solution has been defense in depth: layering one mediocre security measure on top of another mediocre security measure. So we have the security embedded in our operating system and applications software, the security embedded in our networking protocols, and our additional security products such as antivirus and firewalls. We hope that whatever security flaws—either found and exploited, or deliberately inserted—there are in one layer are counteracted by the security in another layer, and that when they’re not, we can patch our systems quickly enough to avoid serious long-term damage. That is a lousy solution when you think about it, but we’ve been more-or-less managing with it so far.

Bringing all software—and hardware, I suppose—development in-house under some misconception that proximity equals security is not a better solution. What we need is to improve the software development process, so we can have some assurance that our software is secure—regardless of what coder, employed by what company, and living in what country, writes it. The key word here is “assurance.”

Assurance is less about developing new security techniques than about using the ones we already have. It’s all the things described in books on secure coding practices. It’s what Microsoft is trying to do with its Security Development Lifecycle. It’s the Department of Homeland Security’s Build Security In program. It’s what every aircraft manufacturer goes through before it fields a piece of avionics software. It’s what the NSA demands before it purchases a piece of security equipment. As an industry, we know how to provide security assurance in software and systems. But most of the time, we don’t care; commercial software, as insecure as it is, is good enough for most purposes.

Assurance is expensive, in terms of money and time, for both the process and the documentation. But the NSA needs assurance for critical military systems and Boeing needs it for its avionics. And the government needs it more and more: for voting machines, for databases entrusted with our personal information, for electronic passports, for communications systems, for the computers and systems controlling our critical infrastructure. Assurance requirements should be more common in government IT contracts.

The software used to run our critical infrastructure—government, corporate, everything—isn’t very secure, and there’s no hope of fixing it anytime soon. Assurance is really our only option to improve this, but it’s expensive and the market doesn’t care. Government has to step in and spend the money where its requirements demand it, and then we’ll all benefit when we buy the same software.

This essay first appeared in Information Security, as the second part of a point-counterpoint with Marcus Ranum. You can read Marcus’s essay there as well.

Posted on March 31, 2010 at 6:54 AMView Comments

1 13 14 15 16 17 39

Sidebar photo of Bruce Schneier by Joe MacInnis.