Sunday, January 10, 2010

https and TSA: Kabuki Security Theater In A Quantified Framework

There is an analogy between https and TSA security that I have been thinking about lately.  This thinking has been in part, to the great interview of Bruce Schneier in about a year ago title Safe, But Also Sorry where Security expert Bruce Schneier talks about privacy and property in the information state written by Katherine Mangu-Ward on January 16, 2009.

First, let me state what should be obvious about the great job that TSA does for our country.  Let's look at the math.  According to what I can find, there are approximately 28,000 flights per day in the US.  That is 10,220,000 flights per year.  We had one incident on Christmas day in 2009.  That means that the chance of an incident is .0000000978 or .00000978%   That also means that TSA is putting up a 99.99999022% success rate of stopping an incident where no one got hurt.  That is SEVEN NINES of success.  I can not think of any other industry that talks about seven nines of success.

Most users are told to look for the lock icon and make sure that the website they are going to starts with https and not simply http and then they are secure.  The user is secure between their browser and that particular site.  https absolutely does not mean that the customers data is encrypted on that sites back end systems, it does not mean that the site has the proper governance in place, it does not mean anything more than the pipe is encrypted between the browser and that particular site.

When you go through TSA security at any airport, it is analogous to https because you only know what you see as you go through - you do not know what security checks are being done or have been done outside your physical scans of your body and your carryons.

 Bruce Schneier has an interesting analysis in the article listed above:

Reason: You coined the phrase "security theater" and you've been critical of the TSA's choices on priorities and tactics. What has the TSA done wrong that's fixable? What has the TSA done right?

Bruce Schneier: The TSA focuses too much on specific tactics and targets. This makes sense politically, but is a bad use of security resources. Think about the last eight years. We take away guns and knives, and the terrorists use box cutters. We confiscate box cutters and knitting needles, and they put explosives in their shoes. We screen shoes, and they use liquids. We take away liquids, and they'll do something else. This is a dumb game; the TSA should stop playing. Some screening is necessary to stop the crazy and the stupid, but it's not going to stop a professional terrorist attack. We don't need more and better screening; we need less. On the other hand, I like seeing the direction they're heading in terms of behavioral profiling, though we need to be careful. Done wrong, it's nothing more than stereotyping; but done right, it can be very effective. It needs more focus on people and less on objects. We can't manage to keep weapons out of prisons; we'll never keep them out of airports. Oh, and stop the ID checking—the notion that there is this master list of terrorists that we can check people off against is just plain silly.

Reason: What would success look like for the TSA? If you were made King of Airport Security tomorrow and given the entire current budget of the TSA to do whatever you wanted, what kind of system would you design?

Schneier: If I were in charge of the TSA's budget, I'd give most of it back. Politically, I wouldn't be able to, of course, but it would be the best thing to do. Spending money on airport/airplane security only makes sense if the bad guys target airplanes. In general, money spent defending particular targets or tactics only makes sense if we can guess them correctly. If tactics and targets are scarce, defending against specific ones makes us safer. If tactics and targets are plentiful—as they are—it only forces the bad guys to pick new ones. Spending money on intelligence, investigation, and emergency response is effective regardless of the tactic or the target. Airport security is a last line of defense, and not a very good one at that. We need to remember that at budget time.

Here is the challenge in the United States of America.  Most American politicians are not skilled enough or open minded enough to think this situation through to do what is right as opposed to what sounds good in the 22 second sound bite on the local rapid and rabid partisan news shows.   With https, what are the security and privacy policies that a company has?   It is typically very difficult to find out beyond some generic privacy policy that is a cut-n-paste from some lawyer's home directory.  This why I think https and TSA security are similar - they look good on the outside, but the outside is only 5% of the problem and it is important to realize there is much hard work that must be done on the inside as well - and sometimes you just won't see it - but it is important.

UPDATE:   It seems to me that a lot of things have changed for the better in the past few years in terms of airport security and common sense.   I wonder what Bruce Schneier would think today?