On the TSA

Security conferences are a little microcosms of the security industry mindset.  Everyone herds excitedly to the talks with the new, big, lurid hacks because offense is super sexy.  We all ooh and aah as someone with a Powerpoint deck demonstrates some explosive breach of known security.  Then the talk is over and immediately we’re herded to the vendor aisle where the vendors shlep an array of expensive pieces of hardware.  Seen the attack?  Now here’s the countermeasure!  It will only cost you $100,000 and several hundred man-hours to get up and working but you don’t want to be subject to that attack you just saw, did you?  The CTOs and CEOs, many with MBAs instead of engineering degrees, shake hands, watch demonstrations, take cards, promise to make calls because this hoopy new equipment will stop that very scary new attack because wow was that scary.  They have room in their budgets, they promise.

As a security professional, my brain isn’t wired right.  I love hot new attacks.  I find them fascinating.  I read about them obsessively. I should be working but no, I’m reading some new way to take out a database with a well crafted command.   But I’m also an engineer and I know that an offensive demonstration sells expensive, and somewhat dubious, defense hardware and defense is big business.  Yeah, you need a big heap of hardware these days to run a secure network, I’m not claiming you don’t, but I also know that the sexy new attack may also be mitigated, not with another $100,000 expenditure, but with a few hours of expert code review.  I have a dollop of doubt gleaned from many years of experience.

But that doesn’t stop the anxious CTO or CEO who has a mandate and, instead of doing threat modeling and risk analysis, wants to fix the problem quick with a new piece of hardware because wow that Powerpoint deck was pretty scary.  Everyone get to work!  Plug this in!  Make system changes!  So it goes.  It keeps us all employed.

Terrorism is a physical security problem that cannot be stopped at the gates of an airport.  If a terrorist has reached an airport, the terrorist has breached many layers of other security — real security and law enforcement.  It is far too late.  The system has failed.  At that point, only three things mitigate the attack: reinforced doors on airplanes, passengers who will not be cowed, and people who blow themselves up are generally not the sharpest tack in the pile.*  That’s it and those goals have been achieved.  Past that, putting money into police and emergency response would be useful.  It’s a crime and like any crime it’s essentially random; it’s an externality whose real risk probability is low.  If you have 300 million fliers and 1 terrorist, then you deal with the problem when it happens because searching for the real risk at the point of entry is futile.**

Logic and good engineering dictates we model for high probability risks when securing our systems and work to mitigate those risks. However, the Powerpoint deck for global terrorism offensive attacks is super hot: it shows buildings blown up and dead people in the streets and bodies and planes crashing into buildings.  It’s damn scary.  Worse, it makes the stakeholders unelectable if such a thing comes to pass.  Non-engineers sitting in elected or appointed office look at those Powerpoint decks and Get the Fear. They then walk out down the aisles of vendors afterward and they say: “I will take one of everything.”

The TSA is not a security organization.  They don’t serve any real security purpose.  Other people in other government organizations deal with the real work.  No way can people hired from ads off the back of pizza boxes and given 40 hours of web-based instruction know what to do if they encountered an actual terrorist.  That’s absolutely absurd.  The threat model shows the probability of an actual terrorist in an airport line instead of, say, just mailing the bomb, is infinitesimally low. It’s an acceptable risk to put non-security personnel in security positions.  It makes for a great government work project in a recession.    And wouldn’t a terrorist with an actual live bomb just blow himself up in one of those backscatter machines?

The TSA does serve a very important purpose to the Federal Government: Marketing.  They market security.  They have SIGNS.  And UNIFORMS.  They give people Very Meaningful Looks.  They stand around in airports with big machines that go bloop like great big advertisements full of warm fuzzy safety.  They market for elected leaders who want to show they are keeping us all safe.  They’re like the election time TV advertisements except with groping.  Go through the bloop machine!  Don’t you feel safer now?

Take off shoes, take off jackets, throw out liquids, get pat downs, go through scanners — none of it serves any actual purpose except to sell to a jittery public who feasts on capitalist marketing a feeling of security because real security is hard and doesn’t always succeed.  That’s the hard truth the public will not accept: we are unable to defend against all risks.  It’s not physically possible. But the Government will give you a pleasant illusion.  To sell warm fuzzy non-offensive security when faced with a real (if lame) attempt, the TSA must buy more machines that go bloop because someone in a suit watched a very scary Powerpoint deck indeed and some smiling vendor was standing with their card right outside the demonstration.  If they don’t install the machines that go bloop, what do they do?

Funny thing, the Government, under money pressures, now has to provide a strategic, risk-based assessment of their security countermeasures starting Real Soon Now.  The machines that go bloop and the new security measures must be in place before the risk-based models go in.  The TSA has not turned in any risk assessments of the new machines to the GAO to justify the purchases and they won’t because the risk of finding someone real with their current operation is so tiny and the risk of something going wrong with the machines is so much greater that the purchase can’t be justified.  But they don’t need risk assessments because, at the core, the mission isn’t security.

My stance on the TSA is well known.  I don’t like such obvious wastes of money, and I especially don’t like it with machines that go bloop and may or may not cause skin carcinoma.  Nate Silver has an interesting article on the hidden costs of extra airport security.  But next time you go through security, you should ask for a Coke with your grope — at least with a Coke, you get a Coke!

I have more stuff, about how security has a customer service and customer expectations model to it, about how the TSA needs to think of itself as a customer service organization first, about how the entire organization has to be rethunk, but this post has gone on long enough. The TSA is here to stay.  They provide too much CYA to lawmakers to ever disband.  But to save us all money, they should just pull the plugs on the machines and send us all through.  It will help with global warming, at least.  If they unplugged the machines, would you ever be able to tell?

Here’s the recruitment pizza box. You can find it a bunch of places.

Threat Level’s discusson on TSA training.  40 hours of web based instruction and 60 hours on the job!

Here’s the GAO report I cite.  I cannot find if their position has changed but as far as I can tell, no risk management study has been completed.

* If you think strapping a bomb to your nads is smart then I have some equipment I can sell you!

** The argument here is “but the attack is huge.”  Yes, that’s possible, but the point stands: if the terrorist gets on the plane there are bigger problems with the system.