I have read his newsletter for some time now, and he recently put up a link to his newsletter following 9/11 that I hadn't read before. He makes some interesting points in it about various things, one section in particular seemed to deal with the same topic that the most active current thread in this forum deals with.
He has even more recently written some essays on the current state of the world since 9/11, including a relatively common-sense description ofCrypto-Gram: September 30, 2001 wrote:Protecting Privacy and Liberty
Appalled by the recent hijackings, many Americans have declared themselves willing to give up civil liberties in the name of security. They've declared it so loudly that this trade-off seems to be a fait accompli. Article after article talks about the balance between privacy and security, discussing whether various increases of security are worth the privacy and civil-liberty losses. Rarely do I see a discussion about whether this linkage is a valid one.
Security and privacy are not two sides of a teeter-totter. This association is simplistic and largely fallacious. It's easy and fast, but less effective, to increase security by taking away liberty. However, the best ways to increase security are not at the expense of privacy and liberty.
It's easy to refute the notion that all security comes at the expense of liberty. Arming pilots, reinforcing cockpit doors, and teaching flight attendants karate are all examples of security measures that have no effect on individual privacy or liberties. So are better authentication of airport maintenance workers, or dead-man switches that force planes to automatically land at the closest airport, or armed air marshals traveling on flights.
Liberty-depriving security measures are most often found when system designers failed to take security into account from the beginning. They're Band-aids, and evidence of bad security planning. When security is designed into a system, it can work without forcing people to give up their freedoms.
Here's an example: securing a room. Option one: convert the room into an impregnable vault. Option two: put locks on the door, bars on the windows, and alarm everything. Option three: don't bother securing the room; instead, post a guard in the room who records the ID of everyone entering and makes sure they should be allowed in.
Option one is the best, but is unrealistic. Impregnable vaults just don't exist, getting close is prohibitively expensive, and turning a room into a vault greatly lessens its usefulness as a room. Option two is the realistic best; combine the strengths of prevention, detection, and response to achieve resilient security. Option three is the worst. It's far more expensive than option two, and the most invasive and easiest to defeat of all three options. It's also a sure sign of bad planning; designers built the room, and only then realized that they needed security. Rather then spend the effort installing door locks and alarms, they took the easy way out and invaded people's privacy.
A more complex example is Internet security. Preventive countermeasures help significantly against script kiddies, but fail against smart attackers. For a couple of years I have advocated detection and response to provide security on the Internet. This works; my company catches attackers -- both outside hackers and insiders -- all the time. We do it by monitoring the audit logs of network products: firewalls, IDSs, routers, servers, and applications. We don't eavesdrop on legitimate users or read traffic. We don't invade privacy. We monitor data about data, and find abuse that way. No civil liberties are violated. It's not perfect, but nothing is. Still, combined with preventive security products it is more effective, and more cost-effective, than anything else.
The parallels between Internet security and global security are strong. All criminal investigation looks at surveillance records. The lowest-tech version of this is questioning witnesses. In this current investigation, the FBI is looking at airport videotapes, airline passenger records, flight school class records, financial records, etc. And the better job they can do examining these records, the more effective their investigation will be.
There are copycat criminals and terrorists, who do what they've seen done before. To a large extent, this is what the hastily implemented security measures have tried to prevent. And there are the clever attackers, who invent new ways to attack people. This is what we saw on September 11. It's expensive, but we can build security to protect against yesterday's attacks. But we can't guarantee protection against tomorrow's attacks: the hacker attack that hasn't been invented, or the terrorist attack yet to be conceived.
Demands for even more surveillance miss the point. The problem is not obtaining data, it's deciding which data is worth analyzing and then interpreting it. Everyone already leaves a wide audit trail as we go through life, and law enforcement can already access those records with search warrants. The FBI quickly pieced together the terrorists' identities and the last few months of their lives, once they knew where to look. If they had thrown up their hands and said that they couldn't figure out who did it or how, they might have a case for needing more surveillance data. But they didn't, and they don't.
More data can even be counterproductive. The NSA and the CIA have been criticized for relying too much on signals intelligence, and not enough on human intelligence. The East German police collected data on four million East Germans, roughly a quarter of their population. Yet they did not foresee the peaceful overthrow of the Communist government because they invested heavily in data collection instead of data interpretation. We need more intelligence agents squatting on the ground in the Middle East arguing the Koran, not sitting in Washington arguing about wiretapping laws.
People are willing to give up liberties for vague promises of security because they think they have no choice. What they're not being told is that they can have both. It would require people to say no to the FBI's power grab. It would require us to discard the easy answers in favor of thoughtful answers. It would require structuring incentives to improve overall security rather than simply decreasing its costs. Designing security into systems from the beginning, instead of tacking it on at the end, would give us the security we need, while preserving the civil liberties we hold dear.
Some broad surveillance, in limited circumstances, might be warranted as a temporary measure. But we need to be careful that it remain temporary, and that we do not design surveillance into our electronic infrastructure. Thomas Jefferson once said: "Eternal vigilance is the price of liberty." Historically, liberties have always been a casualty of war, but a temporary casualty. This war -- a war without a clear enemy or end condition -- has the potential to turn into a permanent state of society. We need to design our security accordingly.
The events of September 11th demonstrated the need for America to redesign our public infrastructures for security. Ignoring this need would be an additional tragedy.
what terrorists want and why they are getting it, and why airport security (following the terrorist arrests in England last month) is not actually security but security theater.
He's a pretty smart guy, one of the best in his field. That isn't to say he's the leading expert on terrorism or real-world security, but I find myself agreeing with a lot of the things he says and find most of his newsletters worthy of a read. It's friday afternoon, so if you have some time to kill before the weekend, take a look. Comments and flames are encouraged.Crypto-Gram: August 15, 2006 wrote:It's easy to defend against what terrorists planned last time, but it's shortsighted. If we spend billions fielding liquid-analysis machines in airports and the terrorists use solid explosives, we've wasted our money. If they target shopping malls, we've wasted our money. Focusing on tactics simply forces the terrorists to make a minor modification in their plans. There are too many targets -- stadiums, schools, theaters, churches, the long line of densely packed people in front of airport security -- and too many ways to kill people.
Security measures that attempt to guess correctly don't work, because invariably we will guess wrong. It's not security, it's security theater: measures designed to make us feel safer but not actually safer.
Airport security is the last line of defense, and not a very good one at that. Sure, it'll catch the sloppy and the stupid -- and that's a good enough reason not to do away with it entirely -- but it won't catch a well-planned plot. We can't keep weapons out of prisons; we can't possibly keep them off airplanes.
The goal of a terrorist is to cause terror. Last week's arrests demonstrate how real security doesn't focus on possible terrorist tactics, but on the terrorists themselves. It's a victory for intelligence and investigation, and a dramatic demonstration of how investments in these areas pay off.
And what can you do to help? Don't be terrorized. They terrorize more of us if they kill some of us, but the dead are beside the point. If we give in to fear, the terrorists achieve their goal even if they are arrested. If we refuse to be terrorized, then they lose -- even if their attacks succeed.
