Entries Tagged "national security policy"

Page 53 of 59

The U.S. Terrorist Database

Interesting article about the terrorist database: Terrorist Identities Datamart Environment (TIDE).

It’s huge:

Ballooning from fewer than 100,000 files in 2003 to about 435,000, the growing database threatens to overwhelm the people who manage it. “The single biggest worry that I have is long-term quality control,” said Russ Travers, in charge of TIDE at the National Counterterrorism Center in McLean. “Where am I going to be, where is my successor going to be, five years down the road?”

TIDE has also created concerns about secrecy, errors and privacy. The list marks the first time foreigners and U.S. citizens are combined in an intelligence database. The bar for inclusion is low, and once someone is on the list, it is virtually impossible to get off it. At any stage, the process can lead to “horror stories” of mixed-up names and unconfirmed information, Travers acknowledged.

Mostly the article tells you things you already know: the list is riddled with errors, and there’s no defined process for getting on or off the list. But the most surreal quote is at the end, from Rick Kopel, the center’s acting director:

The center came in for ridicule last year when CBS’s “60 Minutes” noted that 14 of the 19 Sept. 11 hijackers were listed—five years after their deaths. Kopel defended the listings, saying that “we know for a fact that these people will use names that they believe we are not going to list because they’re out of circulation—either because they’re dead or incarcerated. . . . It’s not willy-nilly. Every name on the list, there’s a reason that it’s on there.”

Get that? There’s someone who deliberately puts wrong names on the list because they think the terrorists might use aliases, and they want to catch them. Given that reasoning, wouldn’t you want to put the entire phone book on the list?

Posted on March 26, 2007 at 2:05 PMView Comments

U.S Terrorism Arrests/Convictions Significantly Overstated

Interesting report (long, but at least read the Executive Summary) from the U.S. Department of Justice’s Inspector General that says, basically, that all the U.S. terrorism statistics since 9/11—arrests, convictions, and so on—have been grossly inflated.

As summarized in the following table, we determined that the FBI, EOUSA, and the Criminal Division did not accurately report 24 of the 26 statistics we reviewed.

“EOUSA” is the Executive Office for United States Attorneys, part of the U.S. Department of Justice.

The report gives a series of reasons why the statistics were so bad. Here’s one:

The number of terrorism-related convictions was overstated because the FBI initially coded the investigative cases as terrorism-related when the cases were opened, but did not recode cases when no link to terrorism was established.

And here’s an example of a problem:

For example, Operation Tarmac was a worksite enforcement operation launched in November 2001 at the nation’s airports. During this operation, Department and other federal agents went into regional airports and checked the immigration papers of airport workers. The agents then arrested any individuals who used falsified documents, such as social security numbers, drivers’ licenses, and other identification documents, to gain employment. EOUSA officials told us they believe these defendants are properly coded under the anti-terrorism program activity. We do not agree that law enforcement efforts such as these should be counted as “anti-terrorism” unless the subject or target is reasonably linked to terrorist activity.

There’s an enormous amount of detail in the report, if you want to wade through the 80ish pages of report and another 80ish of appendices.

Posted on February 23, 2007 at 7:13 AMView Comments

CYA Security

Since 9/11, we’ve spent hundreds of billions of dollars defending ourselves from terrorist attacks. Stories about the ineffectiveness of many of these security measures are common, but less so are discussions of why they are so ineffective. In short: much of our country’s counterterrorism security spending is not designed to protect us from the terrorists, but instead to protect our public officials from criticism when another attack occurs.

Boston, January 31: As part of a guerilla marketing campaign, a series of amateur-looking blinking signs depicting characters in the Aqua Teen Hunger Force, a show on the Cartoon Network, were placed on bridges, near a medical center, underneath an interstate highway, and in other crowded public places.

Police mistook these signs for bombs and shut down parts of the city, eventually spending over $1M sorting it out. Authorities blasted the stunt as a terrorist hoax, while others ridiculed the Boston authorities for overreacting. Almost no one looked beyond the finger pointing and jeering to discuss exactly why the Boston authorities overreacted so badly. They overreacted because the signs were weird.

If someone left a backpack full of explosives in a crowded movie theater, or detonated a truck bomb in the middle of a tunnel, no one would demand to know why the police hadn’t noticed it beforehand. But if a weird device with blinking lights and wires turned out to be a bomb—what every movie bomb looks like—there would be inquiries and demands for resignations. It took the police two weeks to notice the Mooninite blinkies, but once they did, they overreacted because their jobs were at stake.

This is “Cover Your Ass” security, and unfortunately it’s very common.

Airplane security seems to forever be looking backwards. Pre-9/11, it was bombs, guns, and knives. Then it was small blades and box cutters. Richard Reid tried to blow up a plane, and suddenly we all have to take off our shoes. And after last summer’s liquid plot, we’re stuck with a series of nonsensical bans on liquids and gels.

Once you think about this in terms of CYA, it starts to make sense. The TSA wants to be sure that if there’s another airplane terrorist attack, it’s not held responsible for letting it slip through. One year ago, no one could blame the TSA for not detecting liquids. But since everything seems obvious in hindsight, it’s basic job preservation to defend against what the terrorists tried last time.

We saw this kind of CYA security when Boston and New York randomly checked bags on the subways after the London bombing, or when buildings started sprouting concrete barriers after the Oklahoma City bombing. We also see it in ineffective attempts to detect nuclear bombs; authorities employ CYA security against the media-driven threat so they can say “we tried.”

At the same time, we’re ignoring threat possibilities that don’t make the news as much—against chemical plants, for example. But if there were ever an attack, that would change quickly.

CYA also explains the TSA’s inability to take anyone off the no-fly list, no matter how innocent. No one is willing to risk his career on removing someone from the no-fly list who might—no matter how remote the possibility—turn out to be the next terrorist mastermind.

Another form of CYA security is the overly specific countermeasures we see during big events like the Olympics and the Oscars, or in protecting small towns. In all those cases, those in charge of the specific security don’t dare return the money with a message “use this for more effective general countermeasures.” If they were wrong and something happened, they’d lose their jobs.

And finally, we’re seeing CYA security on the national level, from our politicians. We might be better off as a nation funding intelligence gathering and Arabic translators, but it’s a better re-election strategy to fund something visible but ineffective, like a national ID card or a wall between the U.S. and Mexico.

Securing our nation from threats that are weird, threats that either happened before or captured the media’s imagination, and overly specific threats are all examples of CYA security. It happens not because the authorities involved—the Boston police, the TSA, and so on—are not competent, or not doing their job. It happens because there isn’t sufficient national oversight, planning, and coordination.

People and organizations respond to incentives. We can’t expect the Boston police, the TSA, the guy who runs security for the Oscars, or local public officials to balance their own security needs against the security of the nation. They’re all going to respond to the particular incentives imposed from above. What we need is a coherent antiterrorism policy at the national level: one based on real threat assessments, instead of fear-mongering, re-election strategies, or pork-barrel politics.

Sadly, though, there might not be a solution. All the money is in fear-mongering, re-election strategies, and pork-barrel politics. And, like so many things, security follows the money.

This essay originally appeared on Wired.com.

EDITED TO ADD (2/23): Interesting commentary, and a Slashdot thread.

Posted on February 22, 2007 at 5:52 AMView Comments

Homeland Security Pork

This article is a perfect illustrating of the wasteful, pork-barrel, political spending that we like to call “homeland security.” And to think we could actually be spending this money on something useful.

When the fire department in the tiny Berkshire hamlet of Cheshire needed a new fire truck, it asked Uncle Sam for a little help.

The response last month was stunning: a $665,962 homeland security grant.

The award was nearly 26 times the annual budget of the volunteer fire department in the town of 3,500. And the rub: The department is not allowed to spend it on a fire truck.

[…]

The town does have the Cheshire Cheese Monument, a sizable concrete sculpture of a cheese press commemorating a 1,450-pound cheese hunk given by town elders to Thomas Jefferson in 1801. But its value as a terrorist target is not readily apparent.

[…]

…Sweet said he might use some of the money to recruit high school students. Or he might put some of the windfall into a marketing campaign to lure volunteers to Cheshire.

“It’ll be on billboards, TVs, and radio stations, and that kind of stuff,” he said. “We’ll have to spend it wisely.”

How many times is this story being repeated across the country? I’m sure the town needs its fire truck, and I hope it gets it. But this is just appalling.

Posted on February 12, 2007 at 6:20 AMView Comments

Schneier on Video: Security Theater Against Movie Plot Threats

On June 10, 2006, I gave a talk at the ACLU New Jersey Membership Conference: “Counterterrorism in America: Security Theater Against Movie-Plot Threats.” Here’s the video.

EDITED TO ADD (2/10): The video is a little over an hour long. You can download the .WMV version directly here. It will play in the cross-platform, GPL VLC media player, but you may need to upgrade to the most recent version (0.8.6).

EDITED TO ADD (2/11): Someone put the video up on Google Video.

Posted on February 9, 2007 at 1:07 PMView Comments

U.S. Government to Encrypt All Laptops

This is a good idea:

To address the issue of data leaks of the kind we’ve seen so often in the last year because of stolen or missing laptops, writes Saqib Ali, the Feds are planning to use Full Disk Encryption (FDE) on all Government-owned computers.

“On June 23, 2006 a Presidential Mandate was put in place requiring all agency laptops to fully encrypt data on the HDD. The U.S. Government is currently conducting the largest single side-by-side comparison and competition for the selection of a Full Disk Encryption product. The selected product will be deployed on Millions of computers in the U.S. federal government space. This implementation will end up being the largest single implementation ever, and all of the information regarding the competition is in the public domain. The evaluation will come to an end in 90 days. You can view all the vendors competing and list of requirements.”

Certainly, encrypting everything is overkill, but it’s much easier than figuring out what to encrypt and what not to. And I really like that there is a open competition to choose which encryption program to use. It’s certainly a high-stakes competition among the vendors, but one that is likely to improve the security of all products. I’ve long said that one of the best things the government can do to improve computer security is to use its vast purchasing power to pressure vendors to improve their security. I would expect the winner to make a lot of sales outside of the contract, and for the losers to correct their deficiencies so they’ll do better next time.

Side note: Key escrow is a requirement, something that makes sense in a government or corporate application:

Capable of secure escrow and recovery of the symetric [sic] encryption key

I wonder if the NSA is involved in the evaluation at all, and if its analysis will be made public.

Posted on January 3, 2007 at 2:00 PMView Comments

1 51 52 53 54 55 59

Sidebar photo of Bruce Schneier by Joe MacInnis.