October 22, 2002
by Sarah Granger
Security is the newest over-hyped commodity in the United States.
I keep visualizing driving down highway 101 past billboards that
read: "Big government wants big security" along with a picture of
an ape beating on its chest. Somehow as seriously as they say they
are, I'm not convinced.
Most Americans reacted positively to heightened security last year,
but I kept asking myself: why is the United States Government Hype
Machine (hereinafter shortened to UGH) only now getting a clue?
Why were the people in Washington snoring at the wheel? I have this
flaw of wanting to understand ineptitude because it just does not
compute. I knew all too well from working as a network consultant
that it's rare to get upper management to even listen to requests
for increased security let alone sign-off on funds to make anything
truly secure. UGH is just a bloated corporation in its reactive
response. Nobody ever pays attention to security until after they
get hacked or some catastrophe occurs.
Here's the latest on the policy side: Airsick bags are located
in the pouch in front of your seat. The Department of Homeland Security
has yet to be officially defined. The Cybersecurity plan is weak.
Nobody has faith in Tom Ridge or Richard Clarke, the new poster
boys. Also, the USA PATRIOT Act (USAPA) is losing steam. (It expires
in December, 2005 but much damage can still be done.)
Some of the proposed changes make sense, but they're still buried
in UGH buzzwords. "Homeland security." Groan. That sounds
like a 2am infomercial for a cheap alarm system. "Cybersecurity."
Oh please...I doubt William Gibson had this in mind when he wrote
Neuromancer. Next, the UGH commanders will claim they invented the
Internet. How can we take their plans seriously if everything is
buried in a mishmash of hype? How can we have any confidence in
the future success of these projects? Why do they think they'll
be able to succeed where they've failed before?
I'm not an anarchist and I'm not crying "Big Brother." I've had
a U.S. government security clearance. I take national security extremely
seriously. This is precisely why I feel that the powers-that-be
just don't seem to get it.
Take biometrics for example. I've been studying this topic lately
and the security of most biometric technologies is a joke. Everyone
who knows anything about biometrics will state as a disclaimer:
"well, this biometric is pretty effective but only under certain
conditions with small groups." That really sums it up. There have
been some successful applications for biometrics in various governments
and military organizations, but all under test groups who had no
real choice in whether to participate and all under limited conditions.
One saving grace Ð there is a growing contingent of people out
there who are realizing that security's not something we can attach
to the grinding cogs of government and make work smoothly or immediately.
Privacy activists began raising red flags as soon as the USAPA passed.
After the mourning period ended, a few congress members dared to
peep. Now more people are rallying for the government to be smart
about security. And the Cybersecurity plan is about to be laughed
out of town Bruce Schneier wrote in this week's Crypto-Gram
that the plan's recommendations don't do squatsolid laws mandate
action; touchy-feely requests are useless.
I attended an event last week where the speakers discussed the
topic of "Silicon Valley Technology and Homeland Defense." The panel
of speakers included former Senator Gary Hart, Co-chair of the U.S.
Commission on National Security/ 21st Century, U.S. Army Lieutenant
General Joseph Kellogg, and representatives from Cisco, IBM, and
Siebel. Hart explained what national security really should be and
made sense where most UGH descriptions failed. (Hart and former
Senator Warren Rudman put together an extensive document a couple
of years ago warning of future terrorist attacks on the magnitude
of that which occurred September 11, 2001. Their document didn't
get any attention then, but it is now.)
Hart's allegory is simple: picture a room with 40 computers monitored
by 40 different people, each from different arms of the U.S. government,
such as FEMA, the FBI, Secret Service, and U.S. Customs. I guess
this really exists. None of the computers are on the same network,
none use the same software, and the people who use these machines
change shifts at random times without ever updating each other on
their states. The concept of one department to consolidate these
activities and act as a sort of national security project manager
is not a bad idea. The problem is that nothing is really defined
as of yet, so we're just stuck in the mud spinning our wheels.
So what is the reason for the hype machine? The short answer is
fear. The reactive response is often a necessary evil, but there's
a time and a place for getting on with business as usual. The U.S.
government is an organization like any other. It just happens to
be bigger and even more powerful than Microsoft. So the result is
that the usually sluggish reaction to adversaries means that people
got scared, people rallied, but the time is up for responses. Let's
deal with the security issues and move on.
While UGH goes about fluffing up its feathers in some territorial
ritual, let's be realistic security is not a simple undertaking.
No matter how committed a government is, real national security
is not a simple goal to achieve. It's a simple concept, yes. Protect
the people of the nation. Protect the children (because that always
gets sympathy points). Protect the crops. Protect the businesses...whatever
the special interest groups require. Simple concepts, however, do
not always have simple solutions. Here are the first problems that
come to mind when exploring a stronger national security infrastructure:
First off: loss of privacy. Doubtless, we've all heard about this
one. Nobody wants personal information stored in massive databases
used by mass numbers of people. It's not safe. Something like a
National ID will not fly if every local policeman in the country
can spot check our identity when we're walking the dog, requesting
fingerprint checks of both Ralph and Fido. Identity theft is rampant.
Along with the annoyance factor comes a loss in dignity when personal
information is stolen.
Along the same lines, surveillance did increase after the USAPA
passage. It's oddly mystifying to find actual numbers as most government
agencies are tight-lipped on this one, but I know for a fact that
sales spiked at the International Spy Shop. (They do have nifty
gadgets. Who wouldn't want to use one now that wiretaps are easier?)
We all know the adage: "Absolute power corrupts absolutely." Try
"Who's gonna babysit the babysitter?" The result of privacy concerns
is decreased faith in government. True security should instill confidence
The next problem: implementation. Training of government staff,
airport staff, national guard, and even regular citizens is expensive.
It's also time-consuming and it must be done for every person who
is at all a part of the system. We've all seen how airport security
is a joke. A friend of mine got through with 8-inch sewing scissors.
A pilot friend of hers got through with a 9mm handgun. Truly. He
resigned that day. I don't blame him.
Mass systems always have backdoors and security holes. Not on purpose.
They just do. If authorized users can get in, so can unauthorized
users somehow. Plugging the holes will take a lot of time and money.
And let's not forget Murphy's Law. It usually strikes twice in any
system implementation. Security is no exception.
Finally, UGH needs a reality check. Any system is only as secure
as its weakest link. The weakest link is nearly always human error.
Of course tired security personnel can't perform up to snuff. And
who always loses their passwords? I can assure you it's not
the computer. Someone will always screw-up. Also, someone will always
be offended. It's impossible to make everyone happy. The transition
will not be smooth or quick. It seems UGH is beginning to catch
wind of this, which is slightly refreshing, but we still have a
long way to go.
One thing the US Army Lieutenant General said during last week's
Silicon Valley panel was: "sometimes we know too much about
security...sometimes you have to take a little risk. We make the
mistake that they're bigger than they are." In other words,
we don't need perfection. We do, however, need something that works.
A serious look at security is overdue for the U.S. and many other
countries. If the leaders of the world are to be continually threatened
by those who begrudge their status in world affairs, they must take
national security seriously. Strong security at the price of fear,
privacy, and serenity is a joke because the human link will break
down. Citizens won't participate. What we need now is confidence,
not fear - and focus, not hype.
Sarah Granger currently
spends most of her time at the Electronic
Frontier Foundation office working on a variety of cool projects.
She also writes articles for Security Focus and does some independent
Cybersecurity plan too drafty,
by Scott R. Burnell, UPI Science News, September
Debate Hits the Road,
by Paul Roberts, IDG News Service, October 17, 2002
of Homeland Security home page
Analysis Of The Provisions Of The USA PATRIOT Act
Strategy to Secure Cyberspace, by Bruce Schneier, Cryptogram,
October 15, 2002,
the Paper Tiger of Cyberterrorism, by Richard Forno, SecurityFocus,
September 25, 2002
Valley Technology and Homeland Defense Event, Palo Alto, California,
October 10, 2002
PATRIOT Act Text