Wednesday, November 24, 2010

TSA: The Problem of Trust

The Transport Safety Administration, the President, the Secretary of State, and very nearly everyone else agrees that that the full body searches and alternative pat downs the TSA has started to implement are intrusive. The TSA, however, insists that they are a necessary precaution to prevent future aircraft bombings.

This would be a persuasive argument if the rest of us had any reason to take claims by the TSA seriously, but we don't. Whether or not this particular requirement makes sense—I have seen arguments by people better qualified to judge than I am who think it does not—enough past requirements were clearly security theater rather than security to destroy any claim the organization might have had to be trusted.

To take the earliest and most striking example, the TSA used to, for all I know still does, interpret the rule against knives to cover the inch long nail files sometimes built into nail clippers, with the result that anyone who happened to have a nail clipper with him and did not want to trash it was required to let them break off the file. To take a long continued example, the TSA insists that its agents be able to search our luggage but has failed to take the most elementary precaution to keep them from pilfering valuables—including in the note enclosed in searched luggage a number identifying the agent who searched it. In these ways and others, the organization has demonstrated that its concern, insofar as an organization can be said to have concerns, is with something other than the welfare of the people it claims to protect.

And, for the latest example, the TSA initially insisted that the new search requirements applied to pilots as well as passengers. Only after someone pointed out to them that a pilot who wanted to crash the plane he was flying didn't need explosives to do it—and, more important, after it became clear that enough pilots were unwilling to go along with the requirement to provide, at the least, a very serious public relations problem—did they reverse that part of their policy. The implication is either an organizational IQ at the idiot level or, more plausibly, an organization more concerned with image than substance.

Trust, once lost, is hard to get back.

27 comments:

Hernan Coronel said...

Please look at Bruce Schneier's blog here http://www.schneier.com/. He is a security researcher and cryptographic champion as well as a very good writer. I usually read your blog and Bruce's blog and it is amazing to discover that both of your views although from a different perspective end up discussing the same subject matter.

Hernan Coronel said...

I just realized that your only link points in fact to an interview with Bruce. Duh!

Anonymous said...

He's popular with geeks who mistake cryptography for security. He's popular with many other folks who confuse agreeing with their prejudices with being right. He's got a good gift of gab, and is always good for a soundbite, which gets him widely quoted and linked - valuables attribute for one that makes his living selling his books and getting paid to be a speaker.

But I'd be more impressed with Bruce's comments if he showed any actual familiarity with physical security and actually analyzed the the issues rather than just routinely dismissing them with a casual and farcical analysis and repeating his trademarked Olympian phrase: "this is yet again Security Theater".

Anonymous said...

This reminds me of a blog post I recently saw about an active duty military person returing from Afghanistan who was carrying a firearm (with no ammo) and had a nail clipper confiscated by TSA since it could be used as a weapon.

Henry Cate said...

Does anyone have suggestions on effective ways to get the TSA policies overturned?

We normally fly Southwest. I plan to write them telling them I won't fly again, or subject my daughters to TSA groping until this changes.

I can write my politicians.

Any other suggestions?

Hernan Coronel said...

I don't think I mistake cryptography with security and I don't think Mr Schneier does that either. In fact his (rather) new book is "Practical Cryptography" as opposed to his previous book "Applied Cryptography" where he acknowledges other aspects of security and practicality that must go along with Cryptography in order for it to work for common people. I think it is also important to point out that Mr. Schneier has been involved in the design of several cryptographic algorithms, twofish and blowfish are very noted cases among others. He has also published excellent papers on cryptography with other noted colleagues, his work is listed here:
http://www.schneier.com/cryptography.html
He also has several books on security besides cryptography:
http://www.schneier.com/books.html

Additionally I don't know if I am a geek or not but I would like to point out that I have worked for IBM, Akamai and Symantec among other corporations dealing directly or indirectly with security related projects for over 15 years now. I am also a CISSP since 2009.

Miko said...

A pilot could still smuggle explosives through security and the transfer them to someone else.

Indeed, if it's known that pilots receive less scrutiny, this would be the logical thing for terrorists to do, especially since it's a hole that can be exploited repeatedly.

William H. Stoddard said...

More to the point than writing to your elected officials is (a) getting in touch with the airlines you patronized and telling them to forget about your business and (b) even more important, giving the same message to your local airport. Give the economic interest groups a reason to lobby for change.

Henry Cate said...

I had forgotten about the airports. Thanks. There are three in our area. The first one that switches from TSA to private security firms will get my business.

Anonymous said...

A TSA security session has inspired Roxi Copland to come up with a new song about the ordeal: "I'll Be Groped for Christmas".

Anonymous said...

Want to avoid being whisked away into TSA touchy-feeliness? Then you should probably have a few garments like super skinny jeans or Johnnie Walker tartan kilts.

Anonymous said...

Whether you're talking about computer security or physical security, the same principle applies: the security is only as good as its weakest point. The adversary is not bothered by ostentatious locks on the front door if the back door is wide open.

Unfortunately for people in the business of promising security from terrorism, the terrorist has a limitless supply of options.

jimbino said...

The fact that TSA has caught no terrorists is proof of nothing, considering that it may well be that the threat of getting flagged by TSA has held the terrorists at bay.

"Why do you keep snapping your fingers?
...It keeps the elephants away."

"There are no elephants around here.
...See, it works!"

Anonymous said...

Miko said...
"A pilot could still smuggle explosives through security and the transfer them to someone else."

There's no need for the pilot to smuggle explosives for himself or a passenger because the pilot still has control of the plane.

Rex Little said...

I had forgotten about the airports. The first one that switches from TSA to private security firms will get my business.

Legally, does an airport have the option to do that?

Hernan Coronel said...

The point here is why keep attacking (and protecting) airplanes or airports when there are plenty of good targets like trains, shopping malls, bridges, buildings, etc. The dumb thing is to spend that much time and money trying to protect airports and airplanes.
The TSA knows this and enjoys the big budget spending they are riding on now, they know it'll somehow end but meanwhile they do what bureaucrats do well: keep spending more and more, scaring the general public to get more budget (similar to the FBI et al and "organized crime") and maximizing "their own profit" that has nothing to do with the general public welfare or security.
Going back to Schneier he always mentions that good security goes after the root cause (in this case the terrorists) with good intelligence and that it makes no sense to protect the targets since there are so many.

Doc Merlin said...

@Miko

Its far far sillier than that.
Airport workers that aren't seen by the passengers are not searched or scanned. The entire thing is merely theater, not actual security.

Anonymous said...

There's no need for the pilot to smuggle explosives for himself or a passenger because the pilot still has control of the plane.

Planes are generally flown by two pilots, not one. I can think of at least one case (1994, Air Maroc) where a pilot actually became suicidal and deliberately crashed the plane into the ground. There were no links to terrorism, but the flight records are clear: he had disengaged the autopilot and was shouting "Mourir! Mourir!".

The copilot was blamed for failing to subdue the pilot and/or prevent the crash.

lars P said...

A pilot could smuggle in a bomb to be put on an other plane.

He could also smuggle in a timed bomb that detonates when someone else flies the plane.

Lars P said...

Not searching pilots does open up some attack possibilities. I'm not claiming that they're serious enough to motivate searches, just that they do exist.

A pilot could smuggle in a bomb to be put on an other plane by an accomplice on the inside.

A pilot could also smuggle in a time bomb that detonates when someone else flies the plane.

These are far more attractive attacks for a pilot, in that s/he would survive them.

Anonymous said...

A pilot could still smuggle explosives through security and the transfer them to someone else.

By that logic, couldn't a TSA agent equally smuggle explosives through security and then transfer them to someone else?

Do TSA agents go through the scanners or give each other enhanced pat downs every morning before they go to work? Somehow I doubt it.

Anonymous said...

Check this out for sure!
http://www.youtube.com/watch?v=U3oMknLt6mI&feature=player_embedded

Very creative, witty and hits all the issues - "The TSA Touchy Security Airport Song" posted on YOU Tube originally

Andrew said...

The security theater is necessary because nine years of republicans and fox news repeating "9/11" over and over has made America a country of scared wimps.

Anonymous said...

Yes Rex Little, the airport can opt out of TSA for a private, approved, security company.

Robbo said...

My son, coming back from Australia had a tourist souvenir toy boomerang confiscated at Security. We were amazed that anyone could think you could seize control of a plane with such a 'weapon'. We were however disgusted when we got to the airside shops and saw the exact same items on sale in the shops.

Anonymous said...

From my reading, even if an airport opts out of using TSA workers, the TSA still has regulatory authority over security and could mandate the same policies to be in place. Whether that holds true in practice, I can't say.

John T. Kennedy said...

"The implication is either an organizational IQ at the idiot level or, more plausibly, an organization more concerned with image than substance."

I see no reason to rule out both...