Port Defense Against Swimming Terrorists
Cool science and engineering, but definitely a movie-plot threat.
Entries Tagged "terrorism"
Page 56 of 80
Tactics, Targets, and Objectives
If you encounter an aggressive lion, stare him down. But not a leopard; avoid his gaze at all costs. In both cases, back away slowly; don’t run. If you stumble on a pack of hyenas, run and climb a tree; hyenas can’t climb trees. But don’t do that if you’re being chased by an elephant; he’ll just knock the tree down. Stand still until he forgets about you.
I spent the last few days on safari in a South African game park, and this was just some of the security advice we were all given. What’s interesting about this advice is how well-defined it is. The defenses might not be terribly effective—you still might get eaten, gored or trampled—but they’re your best hope. Doing something else isn’t advised, because animals do the same things over and over again. These are security countermeasures against specific tactics.
Lions and leopards learn tactics that work for them, and I was taught tactics to defend myself. Humans are intelligent, and that means we are more adaptable than animals. But we’re also, generally speaking, lazy and stupid; and, like a lion or hyena, we will repeat tactics that work. Pickpockets use the same tricks over and over again. So do phishers, and school shooters. If improvised explosive devices didn’t work often enough, Iraqi insurgents would do something else.
So security against people generally focuses on tactics as well.
A friend of mine recently asked me where she should hide her jewelry in her apartment, so that burglars wouldn’t find it. Burglars tend to look in the same places all the time—dresser tops, night tables, dresser drawers, bathroom counters—so hiding valuables somewhere else is more likely to be effective, especially against a burglar who is pressed for time. Leave decoy cash and jewelry in an obvious place so a burglar will think he’s found your stash and then leave. Again, there’s no guarantee of success, but it’s your best hope.
The key to these countermeasures is to find the pattern: the common attack tactic that is worth defending against. That takes data. A single instance of an attack that didn’t work—liquid bombs, shoe bombs—or one instance that did—9/11—is not a pattern. Implementing defensive tactics against them is the same as my safari guide saying: “We’ve only ever heard of one tourist encountering a lion. He stared it down and survived. Another tourist tried the same thing with a leopard, and he got eaten. So when you see a lion….” The advice I was given was based on thousands of years of collective wisdom from people encountering African animals again and again.
Compare this with the Transportation Security Administration’s approach. With every unique threat, TSA implements a countermeasure with no basis to say that it helps, or that the threat will ever recur.
Furthermore, human attackers can adapt more quickly than lions. A lion won’t learn that he should ignore people who stare him down, and eat them anyway. But people will learn. Burglars now know the common “secret” places people hide their valuables—the toilet, cereal boxes, the refrigerator and freezer, the medicine cabinet, under the bed—and look there. I told my friend to find a different secret place, and to put decoy valuables in a more obvious place.
This is the arms race of security. Common attack tactics result in common countermeasures. Eventually, those countermeasures will be evaded and new attack tactics developed. These, in turn, require new countermeasures. You can easily see this in the constant arms race that is credit card fraud, ATM fraud or automobile theft.
The result of these tactic-specific security countermeasures is to make the attacker go elsewhere. For the most part, the attacker doesn’t particularly care about the target. Lions don’t care who or what they eat; to a lion, you’re just a conveniently packaged bag of protein. Burglars don’t care which house they rob, and terrorists don’t care who they kill. If your countermeasure makes the lion attack an impala instead of you, or if your burglar alarm makes the burglar rob the house next door instead of yours, that’s a win for you.
Tactics matter less if the attacker is after you personally. If, for example, you have a priceless painting hanging in your living room and the burglar knows it, he’s not going to rob the house next door instead—even if you have a burglar alarm. He’s going to figure out how to defeat your system. Or he’ll stop you at gunpoint and force you to open the door. Or he’ll pose as an air-conditioner repairman. What matters is the target, and a good attacker will consider a variety of tactics to reach his target.
This approach requires a different kind of countermeasure, but it’s still well-understood in the security world. For people, it’s what alarm companies, insurance companies and bodyguards specialize in. President Bush needs a different level of protection against targeted attacks than Bill Gates does, and I need a different level of protection than either of them. It would be foolish of me to hire bodyguards in case someone was targeting me for robbery or kidnapping. Yes, I would be more secure, but it’s not a good security trade-off.
Al-Qaida terrorism is different yet again. The goal is to terrorize. It doesn’t care about the target, but it doesn’t have any pattern of tactic, either. Given that, the best way to spend our counterterrorism dollar is on intelligence, investigation and emergency response. And to refuse to be terrorized.
These measures are effective because they don’t assume any particular tactic, and they don’t assume any particular target. We should only apply specific countermeasures when the cost-benefit ratio makes sense (reinforcing airplane cockpit doors) or when a specific tactic is repeatedly observed (lions attacking people who don’t stare them down). Otherwise, general countermeasures are far more effective a defense.
This essay originally appeared on Wired.com.
EDITED TO ADD (6/14): Learning behavior in tigers.
Counterfeiting Is not Terrorism
This is a surreal story of someone who was chained up for hours for trying to spend $2 bills. Clerks at Best Buy thought the bills were counterfeit, and had him arrested.
The most surreal quote of the article is the last sentence:
Commenting on the incident, Baltimore County police spokesman Bill Toohey told the Sun: “It’s a sign that we’re all a little nervous in the post-9/11 world.”
What in the world do the terrorist attacks of 9/11 have to do with counterfeiting? How does being “a little nervous in the post-9/11 world” have anything to do with this incident? Counterfeiting is not terrorism; it isn’t even a little bit like terrorism.
EDITED TO ADD (5/30): The story is from 2005.
Department of Homeland Security Not Focused on Terrorism
I thought terrorism is why we have a DHS, but they’ve been preoccupied with other things:
Of the 814,073 people charged by DHS in immigration courts during the past three years, 12 faced charges of terrorism, TRAC said.
Those 12 cases represent 0.0015 percent of the total number of cases filed.
“The DHS claims it is focused on terrorism. Well that’s just not true,” said David Burnham, a TRAC spokesman. “Either there’s no terrorism, or they’re terrible at catching them. Either way it’s bad for all of us.”
The TRAC analysis also found that DHS filed a minuscule number of what are called “national security” charges against people in the immigration courts. The report stated that 114, or 0.014 percent of the total of roughly 800,000 individuals charged were charged with national security violations.
TRAC reported more than 85 percent of the charges involved more common immigration violations such as not having a valid immigrant visa, overstaying a student visa or entering the United States without an inspection.
TRAC is a great group, and I recommend wandering around their site if you’re interested in what the U.S. government is actually doing.
Joke That'll Get You Arrested
Don’t say that I didn’t warn you:
If you are sitting next to someone who irritates you on a plane or train…
1. Quietly and calmly open up your laptop case.
2. Remove your laptop.
3. Boot it.
4. Make sure the person who won’t leave you alone can see the screen.
5. Open your email client to this message.
6. Close your eyes and tilt your head up to the sky.
7. Then hit this link: http://www.thecleverest.com/countdown.swf
If you try it, post what happened in comments.
Mobile Phones Disabled When President Bush Visits Sydney
In an effort to prevent terrorism, parts of the mobile phone network will be disabled when President Bush visits Australia. I’ve written about this kind of thing before; it’s a perfect example of security theater: a countermeasure that works if you happen to guess the specific details of the plot correctly, and completely useless otherwise.
On the plus side, it’s only a small area that’s blocked:
It is expected mobile phone calls will drop out in an area the size of a football field as the helicopter passes overhead.
EDITED TO ADD (5/19): Slashdot thread.
EDITED TO ADD (5/20): The Register article.
Schneier Talk at Macalester College
On April 3, I gave a talk at Macalester College titled “Counterterrorism in America: Security Theater Against Movie-Plot Threats.” The audio and video of the talk are online.
REAL ID Action Required Now
I’ve written about the U.S. national ID card—REAL ID—extensively (most recently here). The Department of Homeland Security has published draft rules regarding REAL ID, and are requesting comments. Comments are due today, by 5:00 PM Eastern Time. Please, please, please, go to this Privacy Coalition site and submit your comments. The DHS has been making a big deal about the fact that so few people are commenting, and we need to prove them wrong.
This morning the Senate Judiciary Committee held hearings on REAL ID (info—and eventually a video—here); I was one of the witnesses who testified.
And lastly, Richard Forno and I wrote this essay for News.com:
In March, the Department of Homeland Security released its long-awaited guidance document regarding national implementation of the Real ID program, as part of its post-9/11 national security initiatives. It is perhaps quite telling that despite bipartisan opposition, Real ID was buried in a 2005 “must-pass” military spending bill and enacted into law without public debate or congressional hearings.
DHS has maintained that the Real ID concept is not a national identification database. While it’s true that the system is not a single database per se, this is a semantic dodge; according to the DHS document, Real ID will be a collaborative data-interchange environment built from a series of interlinking systems operated and administered by the states. In other words, to the Department of Homeland Security, it’s not a single database because it’s not a single system. But the functionality of a single database remains intact under the guise of a federated data-interchange environment.
The DHS document notes the “primary benefit of Real ID is to improve the security and lessen the vulnerability of federal buildings, nuclear facilities, and aircraft to terrorist attack.” We know now that vulnerable cockpit doors were the primary security weakness contributing to 9/11, and reinforcing them was a long-overdue protective measure to prevent hijackings. But this still raises an interesting question: Are there really so many members of the American public just “dropping by” to visit a nuclear facility that it’s become a primary reason for creating a national identification system? Are such visitors actually admitted?
DHS proposes guidelines for proving one’s identity and residence when applying for a Real ID card. Yet while the department concedes it’s a monumental task to prove one’s domicile or residence, it leaves it up to the states to determine what documents would be adequate proof of residence—and even suggests that a utility bill or bank statement might be appropriate documentation. If so, a person could easily generate multiple proof-of-residence documents. Basing Real ID on such easy-to-forge documents obviates a large portion of what Real ID is supposed to accomplish.
Finally, and perhaps most importantly for Americans, the very last paragraph of the 160-page Real ID document deserves special attention. In a nod to states’ rights advocates, DHS declares that states are free not to participate in the Real ID system if they choose—but any identification card issued by a state that does not meet Real ID criteria is to be clearly labeled as such, to include “bold lettering” or a “unique design” similar to how many states design driver’s licenses for those under 21 years of age.
In its own guidance document, the department has proposed branding citizens not possessing a Real ID card in a manner that lets all who see their official state-issued identification know that they’re “different,” and perhaps potentially dangerous, according to standards established by the federal government. They would become stigmatized, branded, marked, ostracized, segregated. All in the name of protecting the homeland; no wonder this provision appears at the very end of the document.
One likely outcome of this DHS-proposed social segregation is that people presenting non-Real ID identification automatically will be presumed suspicious and perhaps subject to additional screening or surveillance to confirm their innocence at a bar, office building, airport or routine traffic stop. Such a situation would establish a new form of social segregation—an attempt to separate “us” from “them” in the age of counterterrorism and the new normal, where one is presumed suspicious until proven more suspicious.
Two other big-picture concerns about Real ID come to mind: Looking at the overall concept of a national identification database, and given existing data security controls in large distributed systems, one wonders how vulnerable this system-of-systems will be to data loss or identity theft resulting from unscrupulous employees, flawed technologies, external compromises or human error—even under the best of security conditions. And second, there is no clear guidance on the limits of how the Real ID database would be used. Other homeland security initiatives, such as the Patriot Act, have been used and applied—some say abused—for purposes far removed from anything related to homeland security. How can we ensure the same will not happen with Real ID?
As currently proposed, Real ID will fail for several reasons. From a technical and implementation perspective, there are serious questions about its operational abilities both to protect citizen information and resist attempts at circumvention by adversaries. Financially, the initial unfunded $11 billion cost, forced onto the states by the federal government, is excessive. And from a sociological perspective, Real ID will increase the potential for expanded personal surveillance and lay the foundation for a new form of class segregation in the name of protecting the homeland.
It’s time to rethink some of the security decisions made during the emotional aftermath of 9/11 and determine whether they’re still a good idea for homeland security and America. After all, if Real ID was such a well-conceived plan, Maine and 22 other states wouldn’t be challenging it in their legislatures or rejecting the Real ID concept for any number of reasons. But they are.
And we as citizens should, too. Let the debate begin.
Again, go to this Privacy Coalition site and express your views. Today. Before 5:00 PM Eastern Time. (Or, if you prefer, you can use EFF’s comments page.)
Really. It will make a difference.
EDITED TO ADD (5/8): Status of anti-REAL-ID legislation in the states.
EDITED TO ADD (5/9): Article on the hearing.
Stink Bombs As Terrorist Tools
Two teenage boys detonated a stink bomb on a Sydney commuter train, and prompted a counter-terrorism response.
Best quote:
“It would have been terrifying. You’re on a train, you hear a loud bang, the logical conclusion that people drew was (that it was) probably a terrorist attack,” Mr Owens told reporters.
I agree that it was the conclusion that people drew, but not that it was a logical conclusion.
UK Police Blow Up Bat Detector
Boston-style idiocy from the UK:
Officers were called to Handcross at noon yesterday after a member of the public spotted the box under a bridge over the A23.
Police immediately set-up a no-go zone around the site and offered 20 residents shelter in the parish hall while the bomb disposal unit investigated.
Both lanes of the A23 at Pease Pottage, near the motorway junction, and the A272 at Bolney were closed for several hours.
The Horsham Road at Handcross was also shut and traffic diversions set up.
Drivers were advised to avoid the area because of traffic gridlock.
The £1,000 bat detector, which monitors the nocturnal creature’s calls, was put under the bridge as part of a survey of the endangered creatures.
For those who don’t know, the A23 is the main road between London and Brighton on the south coast. More info on the incident here and here.
I like this comment:
We are working on ways to improve identification of our property to avoid a repeat of the incident.
Might I suggest a sign: “This is not a bomb.”
Refuse to be terrorized, people!
Sidebar photo of Bruce Schneier by Joe MacInnis.