This is an interview with me from SecurityFocus.
Page 41 of 42
This is an interview with me from SecurityFocus.
Two nights ago, my encryption algorithm Blowfish was mentioned on the Fox show “24.” An alleged computer expert from the fictional anti-terror agency CTU was trying to retrieve some files from a terrorist’s laptop. This is the exchange between the agent and the terrorist’s girlfriend:
They used Blowfish algorithm.
How can you tell?
By the tab on the file headers.
Can you decrypt it?
CTU has a proprietary algorithm. It shouldn’t take that long. We’ll start by trying to hack the password. Let’s start with the basics. Write down nicknames, birthdays, pets—anything you think he might have used.
I was selected as one of the Top 25 CTOs by InfoWorld.
For a couple of years I have been arguing that liability is a way to solve the economic problems underlying our computer security problems. At the RSA conference this year, I was on a panel on that very topic.
This essay argues that regulation, not liability, is the correct way to solve the underlying economic problems, using the analogy of high-pressure steam engines in the 1800s.
Definitely worth thinking about some more.
I’m at the RSA Conference here in San Francisco. Is anyone else here? What’s interesting on the show floor? Anything?
And what did you all think of Bill Gates’s speech this morning?
As I wrote previously, I am participating in a working group to study the security and privacy of Secure Flight, the U.S. government’s program to match airline passengers with a terrorist watch list. In the end, I signed the NDA allowing me access to SSI (Sensitive Security Information) documents, but managed to avoid filling out the paperwork for a SECRET security clearance.
Last week the group had its second meeting.
So far, I have four general conclusions. One, assuming that we need to implement a program of matching airline passengers with names on terrorism watch lists, Secure Flight is a major improvement—in almost every way—over what is currently in place. (And by this I mean the matching program, not any potential uses of commercial or other third-party data.)
Two, the security system surrounding Secure Flight is riddled with security holes. There are security problems with false IDs, ID verification, the ability to fly on someone else’s ticket, airline procedures, etc.
Three, the urge to use this system for other things will be irresistible. It’s just too easy to say: “As long as you’ve got this system that watches out for terrorists, how about also looking for this list of drug dealers…and by the way, we’ve got the Super Bowl to worry about too.” Once Secure Flight gets built, all it’ll take is a new law and we’ll have a nationwide security checkpoint system.
And four, a program of matching airline passengers with names on terrorism watch lists is not making us appreciably safer, and is a lousy way to spend our security dollars.
Unfortunately, Congress has mandated that Secure Flight be implemented, so it is unlikely that the program will be killed. And analyzing the effectiveness of the program in general, potential mission creep, and whether the general idea is a worthwhile one, is beyond the scope of our little group. In other words, my first conclusion is basically all that they’re interested in hearing.
But that means I can write about everything else.
To speak to my fourth conclusion: Imagine for a minute that Secure Flight is perfect. That is, we can ensure that no one can fly under a false identity, that the watch lists have perfect identity information, and that Secure Flight can perfectly determine if a passenger is on the watch list: no false positives and no false negatives. Even if we could do all that, Secure Flight wouldn’t be worth it.
Secure Flight is a passive system. It waits for the bad guys to buy an airplane ticket and try to board. If the bad guys don’t fly, it’s a waste of money. If the bad guys try to blow up shopping malls instead of airplanes, it’s a waste of money.
If I had some millions of dollars to spend on terrorism security, and I had a watch list of potential terrorists, I would spend that money investigating those people. I would try to determine whether or not they were a terrorism threat before they got to the airport, or even if they had no intention of visiting an airport. I would try to prevent their plot regardless of whether it involved airplanes. I would clear the innocent people, and I would go after the guilty. I wouldn’t build a complex computerized infrastructure and wait until one of them happened to wander into an airport. It just doesn’t make security sense.
That’s my usual metric when I think about a terrorism security measure: Would it be more effective than taking that money and funding intelligence, investigation, or emergency response—things that protect us regardless of what the terrorists are planning next. Money spent on security measures that only work against a particular terrorist tactic, forgetting that terrorists are adaptable, is largely wasted.
This article from SIGNAL has some interesting quotes by me.
I am participating in a working group to help evaluate the effectiveness and privacy implications of the TSA’s Secure Flight program. We’ve had one meeting so far, and it looks like it will be an interesting exercise.
For those who have not been following along, Secure Flight is the follow-on to CAPPS-I. (CAPPS stands for Computer Assisted Passenger Pre-Screening.) CAPPS-I has been in place since 1997, and is a simple system to match airplane passengers to a terrorist watch list. A follow-on system, CAPPS-II, was proposed last year. That complicated system would have given every traveler a risk score based on information in government and commercial databases. There was a huge public outcry over the invasiveness of the system, and it was cancelled over the summer. Secure Flight is the new follow-on system to CAPPS-I.
Many of us believe that Secure Flight is just CAPPS-II with a new name. I hope to learn whether or not that is true.
I hope to learn a lot of things about Secure Flight and airline passenger profiling in general, but I probably won’t be able to write about it. In order to be a member of this working group, I was required to apply for a U.S. government SECRET security clearance and sign an NDA, promising that I would not disclose something called “Sensitive Security Information.”
SSI is one of three new categories of secret information, all of I think have no reason to exist. There is already a classification scheme—CONFIDENTIAL, SECRET, TOP SECRET, etc.—and information should either fit into that scheme or be public. A new scheme is just confusing. The NDA we were supposed to sign was very general, and included such provisions as allowing the government to conduct warrantless searches of our residences. (Two federal unions have threatened to sue the government over several provisions in that NDA, which applies to many DHS employees. And just recently, the DHS backed down.)
After push-back by myself and several others, we were given a much less onerous NDA to sign.
I am not happy about the secrecy surrounding the working group. NDAs and classified briefings raise serious ethical issues for government oversight committees. My suspicion is that I will be wowed with secret, unverifiable assertions that I will either have to accept or (more likely) question, but not be able to discuss with others. In general, secret deliberations favor the interests of those who impose the rules. They really run against the spirit of the Federal Advisory Committee Act (FACA).
Moreover, I’m not sure why this working group is not in violation of FACA. FACA is a 1972 law intended to govern how the Executive branch uses groups of advisors outside the federal government. Among other rules, it requires that advisory committees announce their meetings, hold them in public, and take minutes that are available to the public. The DHS was given a specific exemption from FACA when it was established: the Secretary of Homeland Security has the authority to exempt any advisory committee from FACA; the only requirement is that the Secretary publish notice of the committee in the Federal Register. I looked, and have not seen any such announcement.
Because of the NDA and the failure to follow FACA, I will not be able to fully exercise my First Amendment rights. That means that the government can stop me from saying things that may be important for the public to know. For example, if I learn that the old CAPPS program failed to identify actual terrorists, or that a lot of people who were not terrorists were wrongfully pulled off planes and the government has tried to keep this quiet—I’m just making these up—I can’t tell you. The government could prosecute me under the NDA because they might claim these facts are SSI and the public would never know this information, because there would be no open meeting obligations as there are for FACA committees.
In other words, the secrecy of this committee could have a real impact on the public understanding of whether or not air passenger screening really works.
In any case, I hope I can help make Secure Flight an effective security tool. I hope I can help minimize the privacy invasions on the program if it continues, and help kill it if it is ineffective. I’m not optimistic, but I’m hopeful.
I’m not hopeful that you will ever learn the results of this working group. We’re preparing our report for the Aviation Security Advisory Committee, and I very much doubt that they will release the report to the public.
Story about unions objecting to the NDA
And a recent development that may or may not affect this group
In a story on a computer glitch that forced Comair to cancel 1,100 flighs on Christmas Day, I was quoted in an AP story as saying:
“If this kind of thing could happen by accident, what would happen if the bad guys did this on purpose?” he said.
I’m sure I said that, but I wish the reporter hadn’t used it. It’s just the sort of fear-mongering that I object to when others do it.
Mitch Wagner interviewed me for eWeek.
Sidebar photo of Bruce Schneier by Joe MacInnis.