Don’t Fear the TSA Cutting Airport Security. Be Glad That They’re Talking about It.

Don’t Fear the TSA Cutting Airport Security. Be Glad That They’re Talking about It.:

Last week, CNN reported that the Transportation Security Administration is considering eliminating security at U.S. airports that fly only smaller planes — 60 seats or fewer. Passengers connecting to larger planes would clear security at their destinations.

To be clear, the TSA has put forth no concrete proposal. The internal agency working group’s report obtained by CNN contains no recommendations. It’s nothing more than 20 people examining the potential security risks of the policy change. It’s not even new: The TSA considered this back in 2011, and the agency reviews its security policies every year. But commentary around the news has been strongly negative. Regardless of the idea’s merit, it will almost certainly not happen. That’s the result of politics, not security: Sen. Charles E. Schumer (D-N.Y.), one of numerous outraged lawmakers, has already penned a letter to the agency saying that “TSA documents proposing to scrap critical passenger security screenings, without so much as a metal detector in place in some airports, would effectively clear the runway for potential terrorist attacks.” He continued, “It simply boggles the mind to even think that the TSA has plans like this on paper in the first place.”

We don’t know enough to conclude whether this is a good idea, but it shouldn’t be dismissed out of hand. We need to evaluate airport security based on concrete costs and benefits, and not continue to implement security theater based on fear. And we should applaud the agency’s willingness to explore changes in the screening process.

There is already a tiered system for airport security, varying for both airports and passengers. Many people are enrolled in TSA PreCheck, allowing them to go through checkpoints faster and with less screening. Smaller airports don’t have modern screening equipment like full-body scanners or CT baggage screeners, making it impossible for them to detect some plastic explosives. Any would-be terrorist is already able to pick and choose his flight conditions to suit his plot.

Over the years, I have written many essays critical of the TSA and airport security, in general. Most of it is security theater — measures that make us feel safer without improving security. For example, the liquids ban makes no sense as implemented, because there’s no penalty for repeatedly trying to evade the scanners. The full-body scanners are terrible at detecting the explosive material PETN if it is well concealed — which is their whole point.

There are two basic kinds of terrorists. The amateurs will be deterred or detected by even basic security measures. The professionals will figure out how to evade even the most stringent measures. I’ve repeatedly said that the two things that have made flying safer since 9/11 are reinforcing the cockpit doors and persuading passengers that they need to fight back. Everything beyond that isn’t worth it.

It’s always possible to increase security by adding more onerous — and expensive — procedures. If that were the only concern, we would all be strip-searched and prohibited from traveling with luggage. Realistically, we need to analyze whether the increased security of any measure is worth the cost, in money, time and convenience. We spend $8 billion a year on the TSA, and we’d like to get the most security possible for that money.

This is exactly what that TSA working group was doing. CNN reported that the group specifically evaluated the costs and benefits of eliminating security at minor airports, saving $115 million a year with a “small (nonzero) undesirable increase in risk related to additional adversary opportunity.” That money could be used to bolster security at larger airports or to reduce threats totally removed from airports.

We need more of this kind of thinking, not less. In 2017, political scientists Mark Stewart and John Mueller published a detailed evaluation of airport security measures based on the cost to implement and the benefit in terms of lives saved. They concluded that most of what our government does either isn’t effective at preventing terrorism or is simply too expensive to justify the security it does provide. Others might disagree with their conclusions, but their analysis provides enough detailed information to have a meaningful argument.

The more we politicize security, the worse we are. People are generally terrible judges of risk. We fear threats in the news out of proportion with the actual dangers. We overestimate rare and spectacular risks, and underestimate commonplace ones. We fear specific “movie-plot threats” that we can bring to mind. That’s why we fear flying over driving, even though the latter kills about 35,000 people each year — about a 9/11’s worth of deaths each month. And it’s why the idea of the TSA eliminating security at minor airports fills us with fear. We can imagine the plot unfolding, only without Bruce Willis saving the day.

Very little today is immune to politics, including the TSA. It drove most of the agency’s decisions in the early years after the 9/11 terrorist attacks. That the TSA is willing to consider politically unpopular ideas is a credit to the organization. Let’s let them perform their analyses in peace.

This essay originally appeared in the Washington Post.

(Via Schneier on Security – emphasis above is mine)

Bruce knows at least as much about this as anyone outside of TSA, and one can argue more than most inside. I always appreciate his analysis.

Also on:

EU Screws Up Copyright Ruling on Student’s Presentation

EU Screws Up Copyright Ruling on Student’s Presentation:

It would seem obvious to me that educational use should be a valid exception from copyright law. After all, copyright exists for the benefit of society, and educating the next generation is to our collective benefit.

The concept of fair use is clearly established in US copyright law, and in fact Germany has a similar law. Furthermore, the EU copyright directive states that EU members can pass laws granting a copyright exception for education purposes.

But this court went against both common sense and existing policies to rule that because the student’s presentation was posted online, the copyright was infringed.

That is a terrible ruling, with a frankly nonsensical justification. It is based on the assumption that putting the photo online was a unique and special thing, when in fact everything is put online these days. It is 2018, and I am surprised the school hadn’t required the kid to put the presentation on Slideshare, Google Docs or some other online service because they wanted to the student to learn how to use the online tools.

The fact the court can’t see that is evidence of just how out of date they are and how little they know about modern times.

(Via The Digital Reader)

Also on:

DHS vulnerability scanning program offline after Virginia office loses power

DHS vulnerability scanning program offline after Virginia office loses power:

Two cybersecurity programs the Department of Homeland Security offers both states and the private sector have been temporarily knocked offline due to a power outage, while other services have been shifted to backup locations, multiple sources tell CyberScoop.

The National Cybersecurity and Communications Integration Center (NCCIC), the 24/7 hub for monitoring cyberthreats across the government and critical infrastructure, has shifted operations to a backup location in Florida. The move was made after the Arlington, Virginia, building that houses NCCIC lost power last week due to heavy rains.

Additionally, two other programs under NCCIC’s National Cybersecurity Assessments and Technical Services (NCATS) — Cyber Hygiene vulnerability scans and Phishing Campaign Assessment — have been offline since July 26.

The Cyber Hygiene program remotely detects known vulnerabilities on internet-facing services. The Phishing Campaign Assessment program is part of a remote penetration testing service. Both programs are used by hundreds of customers across the country. Thirty-four states have received vulnerability scans through the Cyber Hygiene program, according to a DHS presentation given at the National Association of State Election Directors summer conference.

DHS Assistant Secretary for Cybersecurity and Communications Jeanette Manfra told CyberScoop that the disruption to Cyber Hygiene is temporary, and that election systems will be the first to resume service once the program comes back online. Officials expect scans to resume Aug. 6.

The building housing NCCIC suffered heavy damage on when portions of the façade ruptured due to the volume of rain that fell in the Washington, D.C., region. The roof of a restaurant on the building’s ground level failed during business hours on July 26.

… A number of DHS offices are in that building.

CyberScoop has learned that due to the water damage, the building completely lost power, which prevented server rooms used by DHS from staying cool. Once the room reached a certain temperature, a sprinkler system was activated. Those sprinklers damaged servers supporting the Cyber Hygiene and Phishing Campaign Assessment programs.

On Sunday, the NCATS office sent an email to its customers informing them that Cyber Hygiene and Phishing Campaign Assessment were offline and that contingency plans have been put in place.

“In order to minimize the operational impact, we immediately implemented our contingency plans and transferred functions to other sites, including NPPD’s facility in Pensacola, Fla.,” the email, obtained by CyberScoop, reads. “We are working to restore these services as quickly as possible. We will let you know when the service and reports will resume.”

NPPD is the National Protection and Programs Directorate, which oversees NCCIC.

The power outage has had a “minimal impact” on DHS’s cybersecurity operations, Krebs said. The incident has not, for example, affected the department’s ability to respond to cyber incidents or issue warnings to the private sector.

DHS has been at the center of the federal government’s efforts to fortify U.S. voting infrastructure following the 2016 presidential election, when Russian hackers probed systems in 21 states. Last week it was revealed that the same outfit of Russian hackers that meddled in the 2016 election appears to have targeted  Sen. Claire McCaskill‘s office.

(Via Cyberscoop)

With the DHS looking to create a central Risk Management program, seeing stories like this does not instill confidence that the U.S. Government, and the DHS in particular, are up to the challenge.

This slays me:

Chris Krebs, the undersecretary of NPPD, told CyberScoop that the department is “taking this opportunity to get some efficiencies into the system, but also to build resilience and redundancy.”

Those are the words uttered after every such event.

By the way for those not in the know, there is a well-known process call Disaster Recovery and Business Continuity Planning (DR/BCP) that has been around for decades to plan for just this sort of event.

Also on:

Maybe the National Risk Management Center Will Combat Critical Infrastructure Hacks

The National Risk Management Center Will Combat Critical Infrastructure Hacks:

At a cybersecurity summit Tuesday, Homeland Security secretary Kirstjen Nielsen announced the creation of the National Risk Management Center, which will focus on evaluating threats and defending US critical infrastructure against hacking. The center will focus on the energy, finance, and telecommunications sectors to start, and DHS will conduct a number of 90-day “sprints” throughout 2018 in an attempt to rapidly build out the center’s processes and capabilities.

“We are reorganizing ourselves for a new fight,” Nielsen said on Tuesday, who described the new center as a “focal point” for cybersecurity within the federal government. Nielsen also noted that DHS is working with members of Congress on organizational changes that can be mandated by law to improve DHS’s effectiveness and reach.

(Via Security Latest)

Based on the recent news from the Boston Globe about TSA wasting resources on zero value “security”, I am skeptical of how useful this will be in the U.S. Government’s security efforts. I seem to recall something similar was in the works over a decade ago.

However, Secretary Nelson seems to have said the right things in her talk:

  • Risk-based approach
  • Threat evaluation versus threat chasing
  • Focused on specific critical industries
  • Taking an agile development approach to building out capabilities
  • Working with Congress
  • Being the focal point for government

There are unanswered questions. We will get more answers as the process moves along.

I sincerely hope this isn’t another Security Theater opportunity to waste time and taxpayer resources.

Also on:

A Spectre is Haunting Unicode ←

A Spectre is Haunting Unicode:

In 1978 Japan’s Ministry of Economy, Trade and Industry established the encoding that would later be known as JIS X 0208, which still serves as an important reference for all Japanese encodings. However, after the JIS standard was released people noticed something strange – several of the added characters had no obvious sources, and nobody could tell what they meant or how they should be pronounced. Nobody was sure where they came from. These are what came to be known as the ghost characters (幽霊文字).

(Via dampfkraft.com)

Ohhh … I like this kind of mystery! Thx to @InfoSecSherpa for the heads up!

UPDATE: & thanks to @polm23 for the original write up!

Also on:

Secret Quiet Skies surveillance program tracks citizens not suspected of wrongdoing ←

Secret Quiet Skies surveillance program tracks citizens not suspected of wrongdoing:

Federal air marshals (FAMs) told the Globe that the program is a waste of taxpayer dollars and actually makes the U.S. less safe as they are not working on “legitimate, potential threats.” Many are not even sure if it is legal, but the TSA told the Globe it is part of its “mission to ensure the safety and security of passengers, crewmembers, and aircraft throughout the aviation sector. As its assessment capabilities continue to enhance, FAMS leverages multiple internal and external intelligence sources in its deployment strategy.”

But John Casaretti, president of the Air Marshal Association, said, “Currently the Quiet Skies program does not meet the criteria we find acceptable.” He added, “The American public would be better served if these [air marshals] were instead assigned to airport screening and check in areas so that active shooter events can be swiftly ended, and violations of federal crimes can be properly and consistently addressed.”

(Via CSO Online)

I almost understand the false sense of security current airport practices provide the average Jane and John Doe.

But super secret security theater busywork?

Also on:

Homeland Security photography alert is ‘a seed of fear’

Homeland Security photography alert is ‘a seed of fear’:

“I’d be real curious to see the research telling us that terrorists are prone to stand on public sidewalks conspicuously filming their intended targets ‘in a prolonged manner,’” LoMonte says. “This just seems like an invitation for people who don’t like journalists to sic the cops on them.”

(Via Columbia Journalism Review)

DHS is a monumentally flawed organization. Read the whole article for some idea of how DHS focuses on Security Theater & propaganda instead of, oh I don’t know, doing their jobs.

Also on:

The Space Force Should Improve the Cybersecurity of Space Assets

The Space Force Should Improve the Cybersecurity of Space Assets:

President Trump offered his support last month for the creation of a Space Force within the U.S. military. In a paper released last week, my Harvard colleague Greg Falco argues that one of the first missions for this new force should be to improve the cybersecurity of space assets. This proposal is worthy of deep consideration as the cybersecurity of space assets remains a top, if underexamined, priority for national security, and the opportunity to shape the roles and missions of a new Space Force will soon pass. 

Falco does not hype the threat, but his assessment of the risks are sobering: The consequences of disrupting or degrading connectivity are striking when one considers how much of U.S. critical infrastructure relies on connectivity in or through space. His recommendations take a similarly balanced approach and offer interested policymakers a few potential steps to get started, such as modifying pertinent sections of the Code of Federal Regulations. 

One area that could benefit from future research is how to deconflict roles and missions between a Space Force (or the military in general), the Department of Homeland Security, NASA and other parts of the federal government. This specific issue is a bit beyond the scope of Falco’s paper, but it reflects a challenge that still seems to bedevil federal cybersecurity policy: Who exactly is in charge of what?  Space assets and affiliated organizations span the military, civilian government and multiple private-sector spheres. Perhaps more than any other sector of the U.S. economy and society, improving the cybersecurity of space assets really will require a whole-of-nation approach. 

(Via Lawfare – Hard National Security Choices)

It’s a stupid name. However, I generally agree that this should be job #1. The risks are simply too great to delay action in understanding, mitigating, and remediating (where possible).

Also on:

Newsmaker Interview: Bruce Schneier on ‘Going Dark’ and the Crypto Arms Race

Newsmaker Interview: Bruce Schneier on ‘Going Dark’ and the Crypto Arms Race:

TP: Thinking about the FBI, is there is there a middle ground between the things that law enforcement wants to do and the people’s right for security and privacy?

Bruce: The middle ground is having less security and giving more access to people who want to break into systems – that’s the FBI and the Chinese government and cybercriminals. That’s the middle ground. Think of it as a dial. How much security do you want to have? How much access do you want?

This notion that I can build a backdoor that only works if a [person with a] certain morality tries to use it. That’s what doesn’t work. If you’re willing to have your nuclear power plant a little less safe in exchange for giving the FBI access, that’s your tradeoff.

(Via The first stop for security news | Threatpost)

A lightweight read that makes for a great resource when trying to explain this to non-security types.

※ Typical full disclosure as Bruce and I are part of the same organization.

Also on:

A counter argument on a government run cybersecurity “moonshot”

Evaluating a “Cybersecurity Moonshot”

For cybersecurity, however, the “moonshot” or the sometimes-interchangeable cyber “Manhattan Project” may not be the best models.

First, both the moonshot and the Manhattan Project were relatively focused, short-term efforts aimed at a single and clearly defined objective—land on the moon, explode an atomic bomb. We do not have the same clarity and focus for cybersecurity. Project Apollo, delayed by a tragic fire, took seven years to put people on the moon while the Manhattan Project took three years to build the atomic bomb. Both were well-resourced. It may be possible to match these speeds if the technological objective of the cybersecurity moonshot was clearly defined and if the United States is willing to make the needed investments, but the construct we call cyberspace is the most complex creation ever built by humans. There are entrenched interests fearful of any change, and the politics of a cyber moonshot will be much more daunting.

A cyber moonshot could increase its chances of success if it could identify technologies that would provide wide-ranging improvements for cybersecurity.

(Via csis.org)

This article raises some excellent concerns. Indeed, in order for this kind of thing to be successful (or like the Solarium Project I wrote about the other day) we need to define clear goals and objectives.

And we need fresh thinking, something VCs, the cybersecurity industry, and the US government largely lack at the moment. Everyone seems to be iterating the same concepts.

What do you think? Is this a space where a government run or sponsored project could, assuming the best conditions, make a noticeable impact?

Also on: