Security Theater

My favorite security expert is Bruce Schneier, and not just when it comes to computer security. Sure, he understands that better than almost anyone else I can think of, but he also has a deep understanding of the underlying concepts of security, including the psychology behind it.

Schneier is an outspoken critic of many of the tactics used by the Department of Homeland Security in the post September 11th world. In his recent book on the topic, Beyond Fear, he coins the phrase “security theater” to describe the countermeasures taken by the government that create the feeling of security while doing very little to actually improve it. If you’ve flown recently, you know many of these: Being forced to take off your shoes, the ban on large containers of liquids, the ban on knitting needles and lighters, the list goes on and on.

This week, Bruce is posting a five-part interview series with the head of the Transportation Security Administration, Kip Hawley. The first two pieces are up as I write this, and I have to say, Schneier really lets him have it:

This feels so much like “cover your ass” security: you’re screening our shoes because everyone knows Richard Reid hid explosives in them, and you’ll be raked over the coals if that particular plot ever happens again. But there are literally thousands of possible plots.

So when does it end? The terrorists invented a particular tactic, and you’re defending against it. But you’re playing a game you can’t win. You ban guns and bombs, so the terrorists use box cutters. You ban small blades and knitting needles, and they hide explosives in their shoes. You screen shoes, so they invent a liquid explosive. You restrict liquids, and they’re going to do something else. The terrorists are going to look at what you’re confiscating, and they’re going to design a plot to bypass your security.

That’s the real lesson of the liquid bombers. Assuming you’re right and the explosive was real, it was an explosive that none of the security measures at the time would have detected. So why play this slow game of whittling down what people can bring onto airplanes? When do you say: “Enough. It’s not about the details of the tactic; it’s about the broad threat”?

For a great audio interview with Bruce Schneier about his book and national security in particular, IT Conversations has an excellent talk with him from 2004. Highly recommended.