I thought that this was a great article.
-----------------------
Since 9/11, our nation has been obsessed with air-travel security.
Terrorist attacks from the air have been the threat that looms largest
in Americans' minds. As a result, we've wasted millions on misguided
programs to separate the regular travelers from the suspected
terrorists -- money that could have been spent to actually make us safer.
Consider CAPPS and its replacement, Secure Flight. These are programs
to check travelers against the 30,000 to 40,000 names on the
government's No-Fly list, and another 30,000 to 40,000 on its Selectee
list.
They're bizarre lists: people -- names and aliases -- who are too
dangerous to be allowed to fly under any circumstance, yet so innocent
that they cannot be arrested, even under the draconian provisions of
the Patriot Act. The Selectee list contains an equal number of
travelers who must be searched extensively before they're allowed to
fly. Who are these people, anyway?
The truth is, nobody knows. The lists come from the Terrorist Screening
Database, a hodgepodge compiled in haste from a variety of sources,
with no clear rules about who should be on it or how to get off it. The
government is trying to clean up the lists, but -- garbage in, garbage
out -- it's not having much success.
The program has been a complete failure, resulting in exactly zero
terrorists caught. And even worse, thousands (or more) have been denied
the ability to fly, even though they've done nothing wrong. These
denials fall into two categories: the "Ted Kennedy" problem (people who
aren't on the list but share a name with someone who is) and the "Cat
Stevens" problem (people on the list who shouldn't be). Even now, four
years after 9/11, both these problems remain.
I know quite a lot about this. I was a member of the government's
Secure Flight Working Group on Privacy and Security. We looked at the
TSA's program for matching airplane passengers with the terrorist watch
list, and found a complete mess: poorly defined goals, incoherent
design criteria, no clear system architecture, inadequate testing. (Our
report was on the TSA website, but has recently been removed --
"refreshed" is the word the organization used -- and replaced with an
"executive summary" that contains none of the report's findings. The
TSA did retain two rebuttals, which read like products of the same
outline and dismiss our findings by saying that we didn't have access
to the requisite information.) Our conclusions match those in two
reports by the Government Accountability Office and one by the DHS
inspector general.
Alongside Secure Flight, the TSA is testing Registered Traveler
programs. There are two: one administered by the TSA, and the other a
commercial program from Verified Identity Pass called Clear. The basic
idea is that you submit your information in advance, and if you're OK
-- whatever that means -- you get a card that lets you go through
security faster.
Superficially, it all seems to make sense. Why waste precious time
making Grandma Miriam from Brooklyn empty her purse when you can search
Sharaf, a 26-year-old who arrived last month from Egypt and is
traveling without luggage?
The reason is security. These programs are based on the dangerous myth
that terrorists match a particular profile and that we can somehow pick
terrorists out of a crowd if we only can identify everyone. That's
simply not true.
What these programs do is create two different access paths into the
airport: high-security and low-security. The intent is to let only good
guys take the low-security path and to force bad guys to take the
high-security path, but it rarely works out that way. You have to
assume that the bad guys will find a way to exploit the low-security
path. Why couldn't a terrorist just slip an altimeter-triggered
explosive into the baggage of a registered traveler?
It may be counterintuitive, but we are all safer if enhanced screening
is truly random, and not based on an error-filled database or a cursory
background check.
The truth is, Registered Traveler programs are not about security;
they're about convenience. The Clear program is a business: Those who
can afford $80 per year can avoid long lines. It's also a program with
a questionable revenue model. I fly 200,000 miles a year, which makes
me a perfect candidate for this program. But my frequent-flier status
already lets me use the airport's fast line and means that I never get
selected for secondary screening, so I have no incentive to pay for a
card. Maybe that's why the Clear pilot program in Orlando, Florida,
only signed up 10,000 of that airport's 31 million annual passengers.
I think Verified Identity Pass understands this, and is encouraging use
of its card everywhere: at sports arenas, power plants, even office
buildings. This is just the sort of mission creep that moves us ever
closer to a "show me your papers" society.
Exactly two things have made airline travel safer since 9/11:
reinforcement of cockpit doors, and passengers who now know that they
may have to fight back. Everything else -- Secure Flight and Trusted
Traveler included -- is security theater. We would all be a lot safer
if, instead, we implemented enhanced baggage security -- both ensuring
that a passenger's bags don't fly unless he does, and explosives
screening for all baggage -- as well as background checks and increased
screening for airport employees.
Then we could take all the money we save and apply it to intelligence,
investigation and emergency response. These are security measures that
pay dividends regardless of what the terrorists are planning next,
whether it's the movie plot threat of the moment, or something entirely
different.
----------------------------
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of
the best sellers "Beyond Fear," "Secrets and Lies," and "Applied
Cryptography," and an inventor of the Blowfish and Twofish
algorithms. He is founder and CTO of Counterpane Internet Security
Inc., and is a member of the Advisory Board of the Electronic Privacy
Information Center (EPIC). He is a frequent writer and lecturer on
security topics. See <http://www.schneier.com>.
Counterpane is the world's leading protector of networked information -
the inventor of outsourced security monitoring and the foremost
authority on effective mitigation of emerging IT threats. Counterpane
protects networks for Fortune 1000 companies and governments
world-wide. See <http://www.counterpane.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of Counterpane Internet Security, Inc.
Copyright (c) 2005 by Bruce Schneier.
-----------------------
Since 9/11, our nation has been obsessed with air-travel security.
Terrorist attacks from the air have been the threat that looms largest
in Americans' minds. As a result, we've wasted millions on misguided
programs to separate the regular travelers from the suspected
terrorists -- money that could have been spent to actually make us safer.
Consider CAPPS and its replacement, Secure Flight. These are programs
to check travelers against the 30,000 to 40,000 names on the
government's No-Fly list, and another 30,000 to 40,000 on its Selectee
list.
They're bizarre lists: people -- names and aliases -- who are too
dangerous to be allowed to fly under any circumstance, yet so innocent
that they cannot be arrested, even under the draconian provisions of
the Patriot Act. The Selectee list contains an equal number of
travelers who must be searched extensively before they're allowed to
fly. Who are these people, anyway?
The truth is, nobody knows. The lists come from the Terrorist Screening
Database, a hodgepodge compiled in haste from a variety of sources,
with no clear rules about who should be on it or how to get off it. The
government is trying to clean up the lists, but -- garbage in, garbage
out -- it's not having much success.
The program has been a complete failure, resulting in exactly zero
terrorists caught. And even worse, thousands (or more) have been denied
the ability to fly, even though they've done nothing wrong. These
denials fall into two categories: the "Ted Kennedy" problem (people who
aren't on the list but share a name with someone who is) and the "Cat
Stevens" problem (people on the list who shouldn't be). Even now, four
years after 9/11, both these problems remain.
I know quite a lot about this. I was a member of the government's
Secure Flight Working Group on Privacy and Security. We looked at the
TSA's program for matching airplane passengers with the terrorist watch
list, and found a complete mess: poorly defined goals, incoherent
design criteria, no clear system architecture, inadequate testing. (Our
report was on the TSA website, but has recently been removed --
"refreshed" is the word the organization used -- and replaced with an
"executive summary" that contains none of the report's findings. The
TSA did retain two rebuttals, which read like products of the same
outline and dismiss our findings by saying that we didn't have access
to the requisite information.) Our conclusions match those in two
reports by the Government Accountability Office and one by the DHS
inspector general.
Alongside Secure Flight, the TSA is testing Registered Traveler
programs. There are two: one administered by the TSA, and the other a
commercial program from Verified Identity Pass called Clear. The basic
idea is that you submit your information in advance, and if you're OK
-- whatever that means -- you get a card that lets you go through
security faster.
Superficially, it all seems to make sense. Why waste precious time
making Grandma Miriam from Brooklyn empty her purse when you can search
Sharaf, a 26-year-old who arrived last month from Egypt and is
traveling without luggage?
The reason is security. These programs are based on the dangerous myth
that terrorists match a particular profile and that we can somehow pick
terrorists out of a crowd if we only can identify everyone. That's
simply not true.
What these programs do is create two different access paths into the
airport: high-security and low-security. The intent is to let only good
guys take the low-security path and to force bad guys to take the
high-security path, but it rarely works out that way. You have to
assume that the bad guys will find a way to exploit the low-security
path. Why couldn't a terrorist just slip an altimeter-triggered
explosive into the baggage of a registered traveler?
It may be counterintuitive, but we are all safer if enhanced screening
is truly random, and not based on an error-filled database or a cursory
background check.
The truth is, Registered Traveler programs are not about security;
they're about convenience. The Clear program is a business: Those who
can afford $80 per year can avoid long lines. It's also a program with
a questionable revenue model. I fly 200,000 miles a year, which makes
me a perfect candidate for this program. But my frequent-flier status
already lets me use the airport's fast line and means that I never get
selected for secondary screening, so I have no incentive to pay for a
card. Maybe that's why the Clear pilot program in Orlando, Florida,
only signed up 10,000 of that airport's 31 million annual passengers.
I think Verified Identity Pass understands this, and is encouraging use
of its card everywhere: at sports arenas, power plants, even office
buildings. This is just the sort of mission creep that moves us ever
closer to a "show me your papers" society.
Exactly two things have made airline travel safer since 9/11:
reinforcement of cockpit doors, and passengers who now know that they
may have to fight back. Everything else -- Secure Flight and Trusted
Traveler included -- is security theater. We would all be a lot safer
if, instead, we implemented enhanced baggage security -- both ensuring
that a passenger's bags don't fly unless he does, and explosives
screening for all baggage -- as well as background checks and increased
screening for airport employees.
Then we could take all the money we save and apply it to intelligence,
investigation and emergency response. These are security measures that
pay dividends regardless of what the terrorists are planning next,
whether it's the movie plot threat of the moment, or something entirely
different.
----------------------------
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of
the best sellers "Beyond Fear," "Secrets and Lies," and "Applied
Cryptography," and an inventor of the Blowfish and Twofish
algorithms. He is founder and CTO of Counterpane Internet Security
Inc., and is a member of the Advisory Board of the Electronic Privacy
Information Center (EPIC). He is a frequent writer and lecturer on
security topics. See <http://www.schneier.com>.
Counterpane is the world's leading protector of networked information -
the inventor of outsourced security monitoring and the foremost
authority on effective mitigation of emerging IT threats. Counterpane
protects networks for Fortune 1000 companies and governments
world-wide. See <http://www.counterpane.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of Counterpane Internet Security, Inc.
Copyright (c) 2005 by Bruce Schneier.
