«Sensible Security Chapter 1 All Security Involves Trade-offs In the wake of 9/11, many of us want to reinvent our ideas about security. But we ...»
All Security Involves Trade-offs
In the wake of 9/11, many of us want to reinvent our ideas about security. But we don’t need to
learn something completely new; we need to learn to be smarter, more skeptical, and more
skilled about what we already know. Critical to any security decision is the notion of trade-offs,
meaning the costs—in terms of money, convenience, comfort, freedoms, and so on—that
inevitably attach themselves to any security system. People make security trade-offs naturally, choosing more or less security as situations change. This book uses a five-step process to demystify the choices and make the trade-offs explicit. A better understanding of trade-offs leads to a better understanding of security, and consequently to more sensible security decisions.
The attacks were amazing. If you can set aside your revulsion and horror—and I would argue that it’s useful, even important, to set them aside for a moment—you can more clearly grasp what the terrorists accomplished.
The attacks were amazing in their efficiency. The terrorists turned four commercial airplanes into flying bombs, killed some 3,000 people, destroyed $40 billion in property, and did untold economic damage. They altered the New York skyline as well as the political landscape of the U.S. and the whole world. And all this was done with no more than a thirty-person, two-year, half-million-dollar operation.
The attacks were amazing in the audacity of their conception. No one had ever done this before: hijack fuel-laden airplanes and fly them into skyscrapers. We’ll probably never know for sure if the terrorists counted on the heat from the ensuing fire to fatally weaken the steel supports and bring down the World Trade Center towers, but those who planned the attacks certainly chose long-distance flights as targets, since they would be carrying heavy fuel loads. The scheme’s audacity meant no one had planned a defense against this type of attack.
The attacks were amazing for their detailed planning and preparation and the discipline shown by the multilayered, compartmentalized organization that carried them out. The plan probably involved a total of some thirty people, and, of these, some had to have been willing to die.
Others most likely had to be kept from knowing they were going to 4 Part One SENSIBLE SECURITY die. The keeping of secrets and careful parceling out of information doubtless required training. It required coordination. It required extraordinary discipline. Indeed, the sheer scope of the attacks seemed beyond the capability of a terrorist organization and in fact has forced us to revise our notions of what terrorist organizations are capable of.
At the same time, the entire operation was amazing in its technological simplicity. It required no advanced technology that couldn’t be hijacked or (as in the case of GPS devices) easily purchased. All technical training could be easily had. And there was no need for complex logistical support: Once the attacks were set in motion, the terrorists were on their own; and once they were in the air, each group of four or five was on its own, independent and self-sufficient.
The attacks were amazing because they rewrote the hijacking rulebook.
Previous responses to hijackings centered around one premise: Get the plane on the ground so negotiations can begin. The threat of airplane bombings, we had come to believe, was solved by making sure passengers were on the same flights as their baggage. These attacks made all that obsolete.
The attacks were amazing because they rewrote the terrorism book, too.
Al Qaeda recruited a new type of attacker. Not the traditional candidate—young, single, fanatical, and with nothing to lose—but people older and more experienced, with marketable job skills. They lived in the West, watching television, eating fast food, drinking in bars. Some vacationed in Las Vegas. One left a wife and four children. It was also a new page in the terrorism book in other ways. One of the most difficult things about a terrorist operation is getting away at the end. This suicide attack neatly solved that problem. The U.S. spends billions of dollars on remote-controlled precision-guided munitions, while all Al Qaeda had to do was recruit fanatics willing to fly planes into skyscrapers.
Finally, the attacks were amazing in their success rate. They weren’t perfect; 100 percent of the attempted hijackings were successful, but only 75 percent of the hijacked planes successfully reached their targets. We don’t know if other planned hijackings were aborted for one reason or another, but that success rate was more than enough to leave the world shocked, stunned, and more than a little bit fearful.
The plan’s size, discipline, and compartmentalization were critical in preventing the most common failure of such an operation: The plan wasn’t leaked. Al Qaeda had people in the U.S., in some cases for years, then in staged arrivals for months and then weeks as the team grew to full size. And, throughout, they managed to keep the plan secret. No one successfully defected. And no one slipped up and gave the plan away.
Not that there weren’t hints. Zacarias Moussaoui, the “twentieth hijacker,” was arrested by the FBI in Minnesota a month before the attacks. The local FBI office wanted to investigate his actions further.
German intelligence had been watching some parts of the operation, and U.S. and French intelligence had been watching others. But no one “connected the dots” until it was too late, mostly because there really were no dots to connect. The plan was simply too innovative. There was no easy-to-compare template and no clear precedent, because these terrorists in a very real sense wrote the book—a new book.
Rarely does an attack change the world’s conception of attack.
And yet while no single preparation these terrorists made was in and of itself illegal, or so outlandish that it was likely to draw attention— taken together, put together in just this way, it was devastating. Nothing they did was novel—Tom Clancy wrote about terrorists crashing an airplane into the U.S. Capitol in 1996, and the Algerian GIA terrorist group tried to hijack a plane and crash it into the Eiffel Tower two years before that—yet the attack seemed completely new and certainly was wholly unexpected. So, not only did our conception of attack have to change; in response, so did our conception of defense.
•••• Since 9/11, we’ve grown accustomed to ID checks when we visit government and corporate buildings. We’ve stood in long security lines at airports and had ourselves and our baggage searched. In February 2003, we were told to buy duct tape when the U.S. color-coded threat level was raised to Orange. Arrests have been made; foreigners have been deported. Unfortunately, most of these changes have not made us more secure. Many of them may actually have made us less secure.
The problem is that security’s effectiveness can be extremely hard to measure. Most of the time, we hear about security only when it fails.
We don’t know how many, if any, additional terrorist attacks were prevented or aborted or scared off prior to 9/11. We don’t know what, if anything, we could have done to foil the 9/11 attacks, and what addiPart One SENSIBLE SECURITY tional security would have merely been bypassed by minor alterations in plans. If the 9/11 attacks had failed, we wouldn’t know whether it had been because of diligent security or because of some unrelated reason. We might not have known about them at all. Security, when it is working, is often invisible not only to those being protected, but to those who plan, implement, and monitor security systems.
But it gets even more complicated than that. Suppose security is perfect, and there are no terrorist attacks; we might conclude that the security expenditures are wasteful, because the successes remain invisible. Similarly, security might fail without us knowing about it, or might succeed against the attacks we know about but fail in the face of an unforeseen threat. A security measure might reduce the likelihood of a rare terrorist attack, but could also result in far greater losses from common criminals. What’s the actual risk of a repeat of 9/11? What’s the risk of a different but equally horrific sequel? We don’t know.
In security, things are rarely as they seem. Perfectly well-intentioned people often advocate ineffective, and sometimes downright countereffective, security measures. I want to change that; I want to explain how security works.
Security is my career. For most of my life, I have been a professional thinker about security. I started out focusing on the mathematics of security—cryptography—and then computer and network security;
but more and more, what I do now focuses on the security that surrounds our everyday lives. I’ve worked for the Department of Defense, implementing security solutions for military installations. I’ve consulted for major financial institutions, governments, and computer companies. And I founded a company that provides security monitoring services for corporate and government computer networks.
Since the attacks of 9/11, I have been asked more and more about our society’s security against terrorism, and about the security of our society in general. In this book, I have applied the methods that I and others have developed for computer security to security in the real world. The concepts, ideas, and rules of security as they apply to computers are essentially no different from the security concepts, ideas, and rules that apply, or should apply, to the world at large. The way I see it, security is all of a piece. This attitude puts me, I suspect, in a minority among security professionals. But it is an attitude, I believe, that helps me to see more clearly, to reason more dispassionately than other security professionals, and to sort out effective and ineffective security measures.
Chapter 1 7
ALL SECURITY INVOLVES TRADE-OFFSThis book is about security: how it works and how to think about it. It’s not about whether a particular security measure works, but about how to analyze and evaluate security measures. For better or worse, we live in a time when we’re very likely to be presented with all kinds of security options. If there is one result I would like to see from this book, it is that readers come away from reading it with a better sense of the ideas and the security concepts that make systems work— and in many cases not work. These security concepts remain unchanged whether you’re a homeowner trying to protect your possessions against a burglar, the President trying to protect our nation against terrorism, or a rabbit trying to protect itself from being eaten.
The attackers, defenders, strategies, and tactics are different from one security situation to another, but the fundamental principles and practices—as well as the basic and all-important ways to think about security—are identical from one security system to another.
Whether your concern is personal security in the face of increasing crime, computer security for yourself or your business, or security against terrorism, security issues affect us more and more in our daily lives, and we should all make an effort to understand them better. We need to stop accepting uncritically what politicians and pundits are telling us. We need to move beyond fear and start making sensible security trade-offs.
•••• And “trade-off ” really is the right word. Every one of us, every day of our lives, makes security trade-offs. Even when we’re not thinking of threats or dangers or attacks, we live almost our entire lives making judgments about security, assessments of security, assumptions regarding security, and choices about security.
When we brush our teeth in the morning, we’re making a security trade-off: the time spent brushing in exchange for a small amount of security against tooth decay. When we lock the door to our home, we’re making a security trade-off: the inconvenience of carrying and using a key in exchange for some security against burglary (and worse). One of the considerations that goes into which car we purchase is security against accidents. When we reach down at a checkout counter to buy a candy bar and notice that the package has been opened, why do we reach for another? It’s because a fully wrapped candy bar is a better security trade-off, for the same money, than a partially wrapped one.
8 Part One SENSIBLE SECURITY Security is a factor when we decide where to invest our money and which school to send our children to. Cell phone companies advertise security as one of the features of their systems. When we choose a neighborhood to live in, a place to vacation, and where we park when we go shopping, one of our considerations is security.
We constantly make security trade-offs, whether we want to or not, and whether we’re aware of them or not. Many would have you believe that security is complicated, and should be best left to the experts. They’re wrong. Making security trade-offs isn’t some mystical art like quantum mechanics. It’s not rocket science. You don’t need an advanced degree to do it. Everyone does it every day; making security trade-offs is fundamental to being alive. Security is pervasive. It’s second nature, consciously and unconsciously part of the myriad decisions we make throughout the day.
The goal of this book is to demystify security, to help you move beyond fear, and give you the tools to start making sensible security trade-offs. When you’re living in fear, it’s easy to let others make security decisions for you. You might passively accept any security offered to you. This isn’t because you’re somehow incapable of making security trade-offs, but because you don’t understand the rules of the game.